Cary Mader created MDEP-902: ------------------------------- Summary: plugin has dependency on log4j version with vulnerability Key: MDEP-902 URL: https://issues.apache.org/jira/browse/MDEP-902 Project: Maven Dependency Plugin Issue Type: Dependency upgrade Affects Versions: 3.6.1 Reporter: Cary Mader
We have Maven projects using dependency plugin, when it executes it's causing maven to pull the log4j jar version 1.2.12 to local maven repos on build servers, and then scanners are flagging that jar as having a vulnerability, which causes us a lot of noise. dependency gav is log4j / log4j / 1.2.12 have seen this with latest version, 3.6.1 -- This message was sent by Atlassian Jira (v8.20.10#820010)