You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Lida Zhao (Jira)" <ji...@apache.org> on 2021/12/15 02:15:00 UTC
[jira] [Commented] (MASFRES-51) could log4j impair a program if it is a transitive "provided" dependency?
[ https://issues.apache.org/jira/browse/MASFRES-51?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459605#comment-17459605 ]
Lida Zhao commented on MASFRES-51:
----------------------------------
note that I also have a related question on StackOverflow https://stackoverflow.com/questions/70337939/how-could-we-resolve-the-transitive-provided-dependencies-in-maven
> could log4j impair a program if it is a transitive "provided" dependency?
> -------------------------------------------------------------------------
>
> Key: MASFRES-51
> URL: https://issues.apache.org/jira/browse/MASFRES-51
> Project: Apache Maven Resource Bundles
> Issue Type: Improvement
> Reporter: Lida Zhao
> Priority: Major
>
> Log4j's problem lead me to a strange thought, I want to discuss with you this: will the transitive "provided" dependency impair my project? Lets take an example, I have a project's structure like this. I import "druid" which has a provided dependency "log4j-core":
> my-company:my-app2:v1.0
> \\- com.alibaba:druid:jar:1.2.8:compile
> \\-org.apache.logging.log4j:log4j-core:jar:2.13.3:provided
> to `my-app`, `log4j-core` is a {*}transitive "provided" dependency{*}.
> but "provided" scope is not transitive according to the doc, so when we use `mvn dependency:tree`, we can only get
> my-company:my-app2:v1.0
> \\- com.alibaba:druid:jar:1.2.8:compile
> Since log4j core participates in the compilation of druid, part of `log4j-core`'s code could be inside. In the worst condition, could they also be vulnerable? If so, how could we know `log4j-core`'s is actually inside?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)