You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Abhishek Patnaik (Jira)" <ji...@apache.org> on 2022/02/16 07:22:00 UTC
[jira] [Created] (MDEP-792) Log4j vulnerability dependencies getting downloaded during the Maven build process
Abhishek Patnaik created MDEP-792:
-------------------------------------
Summary: Log4j vulnerability dependencies getting downloaded during the Maven build process
Key: MDEP-792
URL: https://issues.apache.org/jira/browse/MDEP-792
Project: Maven Dependency Plugin
Issue Type: Bug
Components: unpack-dependencies
Environment: Jenkins Build
Reporter: Abhishek Patnaik
Attachments: Log4j_Vulverability_Problem.docx
We are using Maven as a build tool for MuleSoft application using Jenkins.
As part of log4j2 vulnerability scan reports, the MuleSoft Jenkins build servers got listed.
We verified application Jar file not referring these older versions of log4j.
Below are the findings when we use 3.6.3 and 3.8.4 versions of maven.
Before running the build, we have already clean-up the /tmp & /.m2.
| |*Maven 3.6.3*|*After upgrade Maven 3.8.4*|
|log4j|2.11.2
2.13.1
2.17.1
2.9.1|2.11.2
2.13.1
2.17.1
2.9.1|
|log4j-1.2-api|2.13.1|2.13.1|
|log4j-api|2.13.1
2.17.1
2.9.1|2.13.1
2.17.1
2.9.1|
|log4j-core|2.13.1
2.17.1
2.9.1|2.13.1
2.17.1
2.9.1|
|log4j-slf4j-impl|2.11.2
2.13.1
2.9.1|2.11.2
2.13.1
2.9.1|
--
This message was sent by Atlassian Jira
(v8.20.1#820001)