You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2022/10/01 08:35:00 UTC
[jira] [Updated] (MJAVADOC-726) Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively
[ https://issues.apache.org/jira/browse/MJAVADOC-726?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Osipov updated MJAVADOC-726:
------------------------------------
Fix Version/s: (was: wontfix-candidate)
> Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively
> ----------------------------------------------------------------------------
>
> Key: MJAVADOC-726
> URL: https://issues.apache.org/jira/browse/MJAVADOC-726
> Project: Maven Javadoc Plugin
> Issue Type: Bug
> Components: jar, javadoc
> Affects Versions: 3.4.0
> Environment: Windows 10
> Reporter: Yogesh Desai
> Priority: Major
> Labels: Vulnerability, vulnerability
> Fix For: waiting-for-feedback
>
> Attachments: log4j-1.2.12.png
>
>
> I have observed that Maven Javadoc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively in local maven repository i.e. .m2 folder upon running maven update in eclipse IDE or from command line. Since Log4j-1.X is strictly prohibited for use in many organisations, we had no other option that not using the plugin. Please plan to fix this issue and get rid of the log4j-1.X dependency.
> *Steps to Reproduce-*
> 1. Add maven javadoc plugin v3.4.0 in your project POM file
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-javadoc-plugin</artifactId>
> <version>3.4.0</version>
> <configuration>
> <encoding>UTF-8</encoding>
> <additionalparam>-Xdoclint:none</additionalparam>
> </configuration>
> <executions>
> <execution>
> <id>attach-javadocs</id>
> <goals>
> <goal>jar</goal>
> </goals>
> </execution>
> </executions>
> </plugin>
> 2. Observe your local maven repository ie. .m2 folder and see if there are any log4j-1.2.12 artifacts are present in log4j folder of it. If artifacts are present already, delete them for now.
> 3. Run maven update command for your project (additionally run maven install command as needed)
> 4. Observe your local maven repository ie. .m2 folder and see if there are any log4j-1.2.12 artifacts are generated with latest timestamp inside log4j folder.
> Attached is the screenshot showing, maven javadoc plugin v3.4.0 used in POM.xml and log4j-1.2.12 dependency getting downloaded in local maven repository i.e. .m2 folder.
> Let me know if any other information is required. Thanks!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)