search

aleksandr-m / gitflow-maven-plugin

The Git-Flow Maven Plugin supports various Git workflows, including GitFlow and GitHub Flow. This plugin runs Git and Maven commands from the command line.
https://aleksandr-m.github.io/gitflow-maven-plugin/
Apache License 2.0
487 stars 180 forks source link

maven-project dependency pulls in log4j1 #364

Closed DRoppelt closed 1 year ago

DRoppelt commented 1 year ago

Hi, very much appreciate your project here.

We have some security scans on our maven build agents and they keep flagging "someone uses log4j1!", so we investigated and found your plugin to be the one that eventually leads to log4j.jar to be present in build cache.

grafik

It seems like the project is using some alpha depedencies from 2009 (maven-project). Which seems to be replaced by maven-core (which this plugin also depends on). Any way you would consider cleaning up that dependency tree?

I am not familiar with plugin development, I would submit a PR if you'd like.

How to reproduce:

1) add this into a pom.xml

<dependencies>
...
    <dependency>
      <groupId>com.amashchenko.maven.plugin</groupId>
      <artifactId>gitflow-maven-plugin</artifactId>
      <version>1.19.0</version>
    </dependency>
...
  </dependencies>

2) mvn dependency:tree > tree.log && grep -i "gitflow" -A 80 tree.log

[INFO] +- com.amashchenko.maven.plugin:gitflow-maven-plugin:jar:1.19.0:compile
[INFO] |  +- org.apache.maven:maven-core:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-model:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-settings:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-settings-builder:jar:3.3.9:compile
[INFO] |  |  |  \- org.apache.maven:maven-builder-support:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-repository-metadata:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-artifact:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-plugin-api:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-model-builder:jar:3.3.9:compile
[INFO] |  |  |  \- com.google.guava:guava:jar:18.0:compile
[INFO] |  |  +- org.apache.maven:maven-aether-provider:jar:3.3.9:compile
[INFO] |  |  |  \- org.eclipse.aether:aether-spi:jar:1.0.2.v20150114:compile
[INFO] |  |  +- org.eclipse.aether:aether-impl:jar:1.0.2.v20150114:compile
[INFO] |  |  +- org.eclipse.aether:aether-api:jar:1.0.2.v20150114:compile
[INFO] |  |  +- org.eclipse.aether:aether-util:jar:1.0.2.v20150114:compile
[INFO] |  |  +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.2:compile
[INFO] |  |  |  +- javax.enterprise:cdi-api:jar:1.0:compile
[INFO] |  |  |  |  \- javax.annotation:jsr250-api:jar:1.0:compile
[INFO] |  |  |  \- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.2:compile
[INFO] |  |  +- com.google.inject:guice:jar:no_aop:4.0:compile
[INFO] |  |  |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-interpolation:jar:1.21:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-classworlds:jar:2.5.2:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-component-annotations:jar:1.6:compile
[INFO] |  |  \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile
[INFO] |  |     \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile
[INFO] |  +- org.codehaus.plexus:plexus-utils:jar:1.5.6:compile
[INFO] |  +- org.codehaus.plexus:plexus-interactivity-api:jar:1.0-alpha-6:compile
[INFO] |  |  \- org.codehaus.plexus:plexus-component-api:jar:1.0-alpha-16:compile
[INFO] |  +- org.apache.maven:maven-project:jar:3.0-alpha-2:compile
[INFO] |  |  +- org.apache.maven:maven-compat:jar:3.0-alpha-2:compile
[INFO] |  |  |  \- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-4:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile
[INFO] |  |  |  +- org.apache.xbean:xbean-reflect:jar:3.4:compile
[INFO] |  |  |  |  +- log4j:log4j:jar:1.2.12:compile
[INFO] |  |  |  |  \- commons-logging:commons-logging-api:jar:1.1:compile
[INFO] |  |  |  \- com.google.code.google-collections:google-collect:jar:snapshot-20080530:compile
[INFO] |  |  +- org.codehaus.woodstox:wstx-asl:jar:3.2.6:compile
[INFO] |  |  |  \- stax:stax-api:jar:1.0.1:compile
[INFO] |  |  +- org.sonatype.spice:model-builder:jar:1.3:compile
[INFO] |  |  \- org.apache.maven:maven-project-builder:jar:3.0-alpha-2:compile
[INFO] |  \- org.apache.maven.release:maven-release-manager:jar:2.5.3:compile
[INFO] |     +- org.apache.maven.release:maven-release-api:jar:2.5.3:compile
[INFO] |     +- org.apache.maven:maven-artifact-manager:jar:2.2.1:compile
[INFO] |     |  \- backport-util-concurrent:backport-util-concurrent:jar:3.1:compile
[INFO] |     +- org.apache.maven.shared:maven-invoker:jar:2.2:compile
[INFO] |     +- commons-lang:commons-lang:jar:2.4:compile
[INFO] |     +- org.apache.maven.scm:maven-scm-providers-standard:pom:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-accurev:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-bazaar:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-clearcase:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-cvsexe:jar:1.9.4:runtime
[INFO] |     |  |  \- org.apache.maven.scm:maven-scm-provider-cvs-commons:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-cvsjava:jar:1.9.4:runtime
[INFO] |     |  |  +- org.netbeans.lib:cvsclient:jar:20060125:runtime
[INFO] |     |  |  \- ch.ethz.ganymed:ganymed-ssh2:jar:build210:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-gitexe:jar:1.9.4:runtime
[INFO] |     |  |  \- org.apache.maven.scm:maven-scm-provider-git-commons:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-hg:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-perforce:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-starteam:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-svnexe:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-synergy:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-vss:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-tfs:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-integrity:jar:1.9.4:runtime
[INFO] |     |  |  +- com.mks.api:mksapi-jar:jar:4.10.9049:runtime
[INFO] |     |  |  \- org.codehaus.groovy:groovy-all:jar:1.7.6:runtime
[INFO] |     |  \- org.apache.maven.scm:maven-scm-provider-jazz:jar:1.9.4:runtime
[INFO] |     +- org.apache.maven.scm:maven-scm-manager-plexus:jar:1.8:runtime
[INFO] |     +- org.apache.maven.scm:maven-scm-api:jar:1.9.4:compile
[INFO] |     +- org.apache.maven.scm:maven-scm-provider-svn-commons:jar:1.9.4:compile
[INFO] |     +- org.jdom:jdom:jar:1.1:compile
[INFO] |     \- jaxen:jaxen:jar:1.2.0:runtime
aleksandr-m commented 1 year ago

Related #369

DRoppelt commented 1 year ago

@aleksandr-m do you have a timeline on releasing this? Maybe a 1.19.1 or so?

rmontag-ap commented 1 year ago

Any news on that for a next 1.19.1?

Is there a maven repository available, where the version "1.19.1-SNAPSHOT" - currently on master branch - can be pulled?

aleksandr-m commented 1 year ago

1.20.0 is released.