Cary Mader created MDEP-902:
-------------------------------
Summary: plugin has dependency on log4j version with vulnerability
Key: MDEP-902
URL: https://issues.apache.org/jira/browse/MDEP-902
Project: Maven Dependency Plugin
Issue Type: Dependency upgrade
Affects Versions: 3.6.1
Reporter: Cary Mader
We have Maven projects using dependency plugin, when it executes it's causing
maven to pull the log4j jar version 1.2.12 to local maven repos on build
servers, and then scanners are flagging that jar as having a vulnerability,
which causes us a lot of noise.
dependency gav is log4j / log4j / 1.2.12
have seen this with latest version, 3.6.1
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
