Guys,
please stop spamming the dev mailing list with this. Take the problem
off list, since this is not a Maven problem.
M
-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail:
> https://github.com/jveverka/mvn-dependency-log4j/commit/ac87977c19bb2ee2564d15fa87f255d621a4706d
https://github.com/pzygielo/mvn-dependency-log4j/runs/5425284512?check_suite_focus=true#step:5:1
No log4j:1.2.12:jar is downloaded in that reproducer.
log4j/log4j is excluded by commons-logging
Hi David
Thank you for summarizing the problem, let me explain some details:
1. "The business application is not exposed" - true
2. "The maven build environment might (can’t confirm at this point)
download a transitive dependency on log4j 1.x" - this is true, build
environment and
Hi David,
Thanks for the summary and the suggestion. Sure, we will look at how best
we can handle this with our Security team.
Thanks,
Venu
On Thu, Mar 3, 2022 at 4:20 AM David Milet wrote:
> Hey guys
> Let’s be courteous and civil.
>
> As part of vulnerability management, an assessment has
Adding Juraj back in the chain as I see that he is removed.
Juraj,
Can you please look at the below 6 emails in this chain?
Thanks,
Venu
On Thu, Mar 3, 2022 at 3:07 AM John Patrick wrote:
> Sorry I thought you where talking about log4j v2, not v1. I can see it
> downloads the metadata
ncreased in 2.17.2 or 2.12.4.
> >>
> >> Gruss
> >> Bernd
> >> --
> >> http://bernd.eckenfels.net
> >>
> >> Von: Martin Gainty
> >> Gesendet: Thursday, March 3, 2022 1:18:50 PM
> >> A
n.apache.org <
>> iss...@maven.apache.org>; VZ-Product-OneTalk <
>> vz-product-onet...@verizon.com>; Danylo Volokh <
>> danylo.vol...@globallogic.com>
>> Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities
>>
>> I *thought* log4j 1.2.15
nylo Volokh <
> danylo.vol...@globallogic.com>
> Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities
>
> I *thought* log4j 1.2.15 had the patch to mitigate the JNDI Security
> Vulnerabity?
> Is this not the case?
> Thanks John
> M.
>
>
>
> Sent from
Martin Gainty
> Gesendet: Thursday, March 3, 2022 1:18:50 PM
> An: Maven Developers List
> Cc: David Milet ; iss...@maven.apache.org <
> iss...@maven.apache.org>; VZ-Product-OneTalk <
> vz-product-onet...@verizon.com>; Danylo Volokh <
> danylo.vol...@globallog
Bernd
--
http://bernd.eckenfels.net
Von: Martin Gainty
Gesendet: Thursday, March 3, 2022 1:18:50 PM
An: Maven Developers List
Cc: David Milet ; iss...@maven.apache.org
; VZ-Product-OneTalk ;
Danylo Volokh
Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities
Milet , iss...@maven.apache.org,
VZ-Product-OneTalk , Danylo Volokh
Subject: Re: Maven Dependency Plugin - Log4j vulnerabilities
Sorry I thought you where talking about log4j v2, not v1. I can see it
downloads the metadata about the project but non or the jars;
local-repo/log4j
local-repo/log4j
Hey guys
Let’s be courteous and civil.
As part of vulnerability management, an assessment has to be made about the
potential security impact of a vulnerability in software.
New vulnerabilities are found every day on older components and it is not
practical nor feasible to chase down every
Sorry I thought you where talking about log4j v2, not v1. I can see it
downloads the metadata about the project but non or the jars;
local-repo/log4j
local-repo/log4j/log4j
local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom
local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1
local-repo/log4j
That was just to demonstrate how i got the dependency chain, that file
was there, but if you're going to be this hostile, i'm not interested
anymore, muting thread
On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło wrote:
>
> On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote:
> >
> > Can confirm this
On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote:
>
> Can confirm this project downloads log4j 1.12.12 for me
As I see it - you confirm something else.
> Failed to read artifact descriptor for log4j:log4j:jar:1.2.12:
Failed to read artifact descriptor for log4j:log4j:jar:1.2.12:
_artifact
Hello,
Can confirm this project downloads log4j 1.12.12 for me
rm -rf ~/.m2/repository/log4j/log4j
sudo chown root:root ~/.m2/repository/log4j/log4j
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-dependency-plugin:3.2.0:copy
(copy-artifact) on project demo: Execution
On Thu, 3 Mar 2022 at 07:27, Jaladi, Venumadhav
>
> Below I am pasting some of the information on the 3 vulnerabilities from
> our report.
It's hard to talk about that report, for (said at least twice) linked
reproducer does not demonstrate to actually download vulnerable
log4j:1.2.12 jar.
--
Hi,
Below I am pasting some of the information on the 3 vulnerabilities from
our report. FYI, I removed the information about the server details and
also trimmed the file path. This report is generated by the Tenable agent.
Severity scandate Vuln Name Description Summary Fix CVE ID CVS Base
You might need to raise a bug with your security scanner regarding false
positives.
So your dependency tree I only see log4j 2.17.1; i.e.
Your Pom
- org.springframework.boot:spring-boot-starter-web:2.6.4
-- org.springframework.boot:spring-boot-starter-web:2.6.4
---
Hi David
Just for clarification: we are not relying on the maven dependency plugin
at runtime. Our runtime is perfectly clear of log4j vulnerabilities.
The problem is that our security scanners are scanning gitlab runner nodes
(virtual machines on which we compile and package our application) and
Juraj,
I have run this command on your reproducer and in "tmp" I cannot find
log4j versions other then 2.17.1
mvn clean install -X -Dmaven.repo.local=tmp > out.txt
Enrico
Il giorno lun 28 feb 2022 alle ore 13:52 Juraj Veverka
ha scritto:
>
> Hi David
>
> Many thanks for your email, I really
Hi David
Many thanks for your email, I really appreciate your reply. This is an
isolated example of the problem.
https://github.com/jveverka/mvn-dependency-log4j
You can find all repro steps there. In case of any questions, feel free
to contact me.
Kind regards
Juraj Veverka
On Mon, Feb 28,
Where I work we decided to address log4j vulnerabilities only for components
directly used by the application and actually performing logging.
We ignored transitive dependencies and maven plug-ins.
I’m curious about this use case from Venu though, what application would rely
on the maven
Hi,
Please provide more information, like plugin, mven, os version.
We also need an example project which reproduces your issue.
When we can't reproduce we can't help.
pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav
napisał(a):
> Hi team,
>
> Can I expect any response? Is this the right email
24 matches
Mail list logo