maven-project dependency pulls in log4j1 #364

DRoppelt · 2022-11-03T12:18:12Z

Hi,
very much appreciate your project here.

We have some security scans on our maven build agents and they keep flagging "someone uses log4j1!", so we investigated and found your plugin to be the one that eventually leads to log4j.jar to be present in build cache.

It seems like the project is using some alpha depedencies from 2009 (maven-project). Which seems to be replaced by maven-core (which this plugin also depends on).
Any way you would consider cleaning up that dependency tree?

I am not familiar with plugin development, I would submit a PR if you'd like.

How to reproduce:

add this into a pom.xml

<dependencies>
...
    <dependency>
      <groupId>com.amashchenko.maven.plugin</groupId>
      <artifactId>gitflow-maven-plugin</artifactId>
      <version>1.19.0</version>
    </dependency>
...
  </dependencies>

mvn dependency:tree > tree.log && grep -i "gitflow" -A 80 tree.log

[INFO] +- com.amashchenko.maven.plugin:gitflow-maven-plugin:jar:1.19.0:compile
[INFO] |  +- org.apache.maven:maven-core:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-model:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-settings:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-settings-builder:jar:3.3.9:compile
[INFO] |  |  |  \- org.apache.maven:maven-builder-support:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-repository-metadata:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-artifact:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-plugin-api:jar:3.3.9:compile
[INFO] |  |  +- org.apache.maven:maven-model-builder:jar:3.3.9:compile
[INFO] |  |  |  \- com.google.guava:guava:jar:18.0:compile
[INFO] |  |  +- org.apache.maven:maven-aether-provider:jar:3.3.9:compile
[INFO] |  |  |  \- org.eclipse.aether:aether-spi:jar:1.0.2.v20150114:compile
[INFO] |  |  +- org.eclipse.aether:aether-impl:jar:1.0.2.v20150114:compile
[INFO] |  |  +- org.eclipse.aether:aether-api:jar:1.0.2.v20150114:compile
[INFO] |  |  +- org.eclipse.aether:aether-util:jar:1.0.2.v20150114:compile
[INFO] |  |  +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.2:compile
[INFO] |  |  |  +- javax.enterprise:cdi-api:jar:1.0:compile
[INFO] |  |  |  |  \- javax.annotation:jsr250-api:jar:1.0:compile
[INFO] |  |  |  \- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.2:compile
[INFO] |  |  +- com.google.inject:guice:jar:no_aop:4.0:compile
[INFO] |  |  |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-interpolation:jar:1.21:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-classworlds:jar:2.5.2:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-component-annotations:jar:1.6:compile
[INFO] |  |  \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile
[INFO] |  |     \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile
[INFO] |  +- org.codehaus.plexus:plexus-utils:jar:1.5.6:compile
[INFO] |  +- org.codehaus.plexus:plexus-interactivity-api:jar:1.0-alpha-6:compile
[INFO] |  |  \- org.codehaus.plexus:plexus-component-api:jar:1.0-alpha-16:compile
[INFO] |  +- org.apache.maven:maven-project:jar:3.0-alpha-2:compile
[INFO] |  |  +- org.apache.maven:maven-compat:jar:3.0-alpha-2:compile
[INFO] |  |  |  \- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-4:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile
[INFO] |  |  |  +- org.apache.xbean:xbean-reflect:jar:3.4:compile
[INFO] |  |  |  |  +- log4j:log4j:jar:1.2.12:compile
[INFO] |  |  |  |  \- commons-logging:commons-logging-api:jar:1.1:compile
[INFO] |  |  |  \- com.google.code.google-collections:google-collect:jar:snapshot-20080530:compile
[INFO] |  |  +- org.codehaus.woodstox:wstx-asl:jar:3.2.6:compile
[INFO] |  |  |  \- stax:stax-api:jar:1.0.1:compile
[INFO] |  |  +- org.sonatype.spice:model-builder:jar:1.3:compile
[INFO] |  |  \- org.apache.maven:maven-project-builder:jar:3.0-alpha-2:compile
[INFO] |  \- org.apache.maven.release:maven-release-manager:jar:2.5.3:compile
[INFO] |     +- org.apache.maven.release:maven-release-api:jar:2.5.3:compile
[INFO] |     +- org.apache.maven:maven-artifact-manager:jar:2.2.1:compile
[INFO] |     |  \- backport-util-concurrent:backport-util-concurrent:jar:3.1:compile
[INFO] |     +- org.apache.maven.shared:maven-invoker:jar:2.2:compile
[INFO] |     +- commons-lang:commons-lang:jar:2.4:compile
[INFO] |     +- org.apache.maven.scm:maven-scm-providers-standard:pom:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-accurev:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-bazaar:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-clearcase:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-cvsexe:jar:1.9.4:runtime
[INFO] |     |  |  \- org.apache.maven.scm:maven-scm-provider-cvs-commons:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-cvsjava:jar:1.9.4:runtime
[INFO] |     |  |  +- org.netbeans.lib:cvsclient:jar:20060125:runtime
[INFO] |     |  |  \- ch.ethz.ganymed:ganymed-ssh2:jar:build210:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-gitexe:jar:1.9.4:runtime
[INFO] |     |  |  \- org.apache.maven.scm:maven-scm-provider-git-commons:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-hg:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-perforce:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-starteam:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-svnexe:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-synergy:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-vss:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-tfs:jar:1.9.4:runtime
[INFO] |     |  +- org.apache.maven.scm:maven-scm-provider-integrity:jar:1.9.4:runtime
[INFO] |     |  |  +- com.mks.api:mksapi-jar:jar:4.10.9049:runtime
[INFO] |     |  |  \- org.codehaus.groovy:groovy-all:jar:1.7.6:runtime
[INFO] |     |  \- org.apache.maven.scm:maven-scm-provider-jazz:jar:1.9.4:runtime
[INFO] |     +- org.apache.maven.scm:maven-scm-manager-plexus:jar:1.8:runtime
[INFO] |     +- org.apache.maven.scm:maven-scm-api:jar:1.9.4:compile
[INFO] |     +- org.apache.maven.scm:maven-scm-provider-svn-commons:jar:1.9.4:compile
[INFO] |     +- org.jdom:jdom:jar:1.1:compile
[INFO] |     \- jaxen:jaxen:jar:1.2.0:runtime

The text was updated successfully, but these errors were encountered:

aleksandr-m · 2022-11-13T14:04:41Z

Related #369

DRoppelt · 2022-11-21T09:49:44Z

@aleksandr-m do you have a timeline on releasing this? Maybe a 1.19.1 or so?

rmontag-ap · 2023-04-28T16:20:32Z

Any news on that for a next 1.19.1?

Is there a maven repository available, where the version "1.19.1-SNAPSHOT" - currently on master branch - can be pulled?

aleksandr-m · 2023-06-01T10:35:16Z

1.20.0 is released.

DRoppelt changed the title ~~maven-project dependency pulls in log4j1 dependency~~ maven-project dependency pulls in log4j1 Nov 3, 2022

DRoppelt mentioned this issue Nov 3, 2022

Update pom.xml and drop beta/alpha dependencies #365

Merged

aleksandr-m closed this as completed Nov 16, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

maven-project dependency pulls in log4j1 #364

maven-project dependency pulls in log4j1 #364

DRoppelt commented Nov 3, 2022

aleksandr-m commented Nov 13, 2022

DRoppelt commented Nov 21, 2022

rmontag-ap commented Apr 28, 2023

aleksandr-m commented Jun 1, 2023

maven-project dependency pulls in log4j1 #364

maven-project dependency pulls in log4j1 #364

Comments

DRoppelt commented Nov 3, 2022

aleksandr-m commented Nov 13, 2022

DRoppelt commented Nov 21, 2022

rmontag-ap commented Apr 28, 2023

aleksandr-m commented Jun 1, 2023