You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2022/10/01 08:35:00 UTC

[jira] [Updated] (MJAVADOC-726) Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively

     [ https://issues.apache.org/jira/browse/MJAVADOC-726?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Osipov updated MJAVADOC-726:
------------------------------------
    Fix Version/s:     (was: wontfix-candidate)

> Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively
> ----------------------------------------------------------------------------
>
>                 Key: MJAVADOC-726
>                 URL: https://issues.apache.org/jira/browse/MJAVADOC-726
>             Project: Maven Javadoc Plugin
>          Issue Type: Bug
>          Components: jar, javadoc
>    Affects Versions: 3.4.0
>         Environment: Windows 10
>            Reporter: Yogesh Desai
>            Priority: Major
>              Labels: Vulnerability, vulnerability
>             Fix For: waiting-for-feedback
>
>         Attachments: log4j-1.2.12.png
>
>
> I have observed that Maven Javadoc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively in local maven repository i.e. .m2 folder upon running maven update in eclipse IDE or from command line. Since Log4j-1.X is strictly prohibited for use in many organisations, we had no other option that not using the plugin. Please plan to fix this issue and get rid of the log4j-1.X dependency. 
> *Steps to Reproduce-*
> 1. Add maven javadoc plugin v3.4.0 in your project POM file
>          <plugin>
>                 <groupId>org.apache.maven.plugins</groupId>
>                 <artifactId>maven-javadoc-plugin</artifactId>
>                 <version>3.4.0</version>
>                 <configuration>
>                     <encoding>UTF-8</encoding>
>                     <additionalparam>-Xdoclint:none</additionalparam>
>                 </configuration>
>                 <executions>
>                     <execution>
>                         <id>attach-javadocs</id>
>                         <goals>
>                             <goal>jar</goal>
>                         </goals>
>                     </execution>
>                 </executions>
>             </plugin>
> 2. Observe your local maven repository ie. .m2 folder and see if there are any log4j-1.2.12 artifacts are present in log4j folder of it. If artifacts are present already, delete them for now.
> 3. Run maven update command for your project (additionally run maven install command as needed)
> 4. Observe your local maven repository ie. .m2 folder and see if there are any log4j-1.2.12 artifacts are generated with latest timestamp inside log4j folder.
> Attached is the screenshot showing, maven javadoc plugin v3.4.0 used in POM.xml and log4j-1.2.12 dependency getting downloaded in local maven repository i.e. .m2 folder.
> Let me know if any other information is required. Thanks!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)