Robert Turner <[email protected]> wrote: > The "problem" is not that the old log4j gets copied to the output folder, > it's that it is fetched into the local Maven cache / repository, which is > then picked up by security tooling (which of course complains that it is > ancient and has vulnerabilities).
There is no guarantee that the artifacts in the local Maven repository are actually executed or part of the result of your build. I don’t know if it’s an option to change the scanning strategy in your situation, but I would suggest executing builds in a CI environment that doesn’t provide access to the public internet (use a repository manager like Artifactory or Nexus and have it proxy any public repositories you need, like Maven Central), optionally scanning build artifacts before they get deployed, and definitely scanning deployed artifacts periodically, because vulnerabilities can get discovered after deployment time. I wouldn’t then worry about the contents of the local Maven repository after a build so much anymore. Nils. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
