Log4j 2.12.1 getting download it when running pluggin commands

mojohaus / versions

Versions Maven Plugin

https://www.mojohaus.org/versions/versions-maven-plugin/

Apache License 2.0

337 stars 267 forks source link

Log4j 2.12.1 getting download it when running pluggin commands #1175

Open rogelio-blanco opened 4 days ago

rogelio-blanco commented 4 days ago

Hi team,

I want to raise the issue that when I run a command using this plugin in the .m2 folder, I get a log4j 2.12.1 version with multiple vulnerabilities. Our Security team is asking to upgrade to a higher version.

I already verify:

Our pom. doesn't have any reference to this log4j version.
I also cloned the plugin project to check if I could exclude the dependency, but I could not see it.
When I run a clean install in my project, I don't see that dependency being downloaded; I see it when I run the command to upgrade the POM version.

How can I get around to downloading that log4j version? I would appreciate any help or feedback you can give me.

Plugin version: 2.17.1 Command: version:set versions:commit -DnewVersion="dummy"

https://security.snyk.io/package/maven/org.apache.logging.log4j:log4j-core/2.12.1

andrzejj0 commented 3 days ago

We don't use log4j. It's most likely a transitive dependency of your project. You can use dependency:tree to track what dependency is using it.

mvn dependency:tree -Dverbose | grep -B 8 log4j

slawekjaranowski commented 3 days ago

You can also try with: maven.repo.local.recordReverseTree property, exxecute your example as:

mvn -Dmaven.repo.local.recordReverseTree version:set ....

next examine content of directories: .tracking in your ~./m2/repository

rogelio-blanco commented 3 days ago

Thank you for the quick response; the commands help me.

Below, you can see the output, which indicates that the plugin is importing that specific dependency.

Thanks

andrzejj0 commented 3 days ago

Apologies for closing this. dependency:tree did not include any descendants of commons-logging for some reason. log4j looks to be an optional dependency of it.

This should be resolved by #1168

slawekjaranowski commented 3 days ago

It is strange ... optional dependencies should not be downloaded .... we need more investigation in Maven/Resolver

By the wat should be resolved with new version of doxia.

andrzejj0 commented 3 days ago

@slawekjaranowski in case you're interested, here's the output of

rm -rf ~/.m2/repository/log4j/log4j; mvn -X versions:set versions:revert -DnewVersion=dummy | tee /tmp/versions.log

Only pom.xml gets downloaded. Not a vulnerability.

I'm not sure why pom.xml gets downloaded, but this is out of scope of versions-maven-plugin, it's a question to Resolver guys.

I wonder if this plugin's use would get flagged by any threat scanner if it's only downloading a pom.xml.

versions.log