4

This question is current at least as of version 3.6.1 of the plugin.

When using the maven-dependency-plugin, it downloads log4j 1.2.12. It happens when the analyze-dep-mgt goal is run, that's the goal we use, I imagine it happens with or some or all the other goals of the plugin. Running mvn dependency:tree from the command line also causes it to be downloaded.

I recognize that just having the log4j jar in the local repository is not a security risk but we have an IT department threatening to shutdown our servers if the jar appears anywhere on our filesystem. If it comes down to it we'll make some kind of script to constantly look for it and delete it when it shows up but I'm hoping there is some way to prevent it directly through some configuration change in the pom.xml.

I also see that there an open issue in the plugin's issue tracker for this problem: MDEP-902

log4j doesn't seem to be a dependency or transitive dependency of the plugin itself. I've tried adding the plugin as a dependency and running the dependency plugin tree goal and it doesn't show up as a dependency of the plugin. I've also run dependency:tree on the latest version of the plugin in it's code repository and it doesn't show up as a dependency. Is the plugin doing it's own manipulation on the local repository somehow and causing it to be downloaded?

Here are the debug log lines when it downloads the jar:

[DEBUG] Resolving artifact log4j:log4j:pom:1.2.12 from [apache.snapshots (https://repository.apache.org/snapshots, default, snapshots), central (https://repo.maven.apache.org/maven2, default, releases)]
[DEBUG] Using transporter HttpTransporter with priority 5.0 for https://repo.maven.apache.org/maven2
[DEBUG] Using connector BasicRepositoryConnector with priority 0.0 for https://repo.maven.apache.org/maven2
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Improve this question
4
  • Can you show the full pom file and a full build log ... Also which Maven version, and versions of the plugins you are using... Commented Feb 28, 2024 at 17:31
  • Unfortunately I can't post the pom here and this was the most amount of log output I could add to the question without stackoverflow flagging the question as spam. Running mvn dependency:analyze-dep-mgt on any maven project though should recreate the issue. Just make sure to delete log4j from your local repository first so that you can see it redownload it. I'm using the latest version of the plugin, 3.6.1. Commented Feb 28, 2024 at 20:10
  • Does it download the JAR too? POMs are downloaded eagerly, even if the artifact ends up being excluded. Commented Feb 29, 2024 at 11:16
  • 1
    It does download the jar as well Commented Mar 4, 2024 at 18:05

1 Answer 1

Reset to default
3

This still happens with maven 3.9.8 maven-dependency-plugin 3.7.1

The reason is, that somehow this plugin downloads commons-logging versions 1.0, 1.0.3 and 1.1 too. While log4j dependency is marked optional in 1.0.3, it is NOT in 1.1, so that log4j 1.2.12 is downloaded into local repo unconditionally.

Fixing the .pom in commons-logging 1.1 in local repo by adding the optional flag avoids downloading log4j 1.2.12 when running mvn dependency:tree (That is not a real fix, but only a proof!)

Unfortunately it is not easy to detect the chain that leads to the downloads of the different commons-logging versions.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.