Expand my Community achievements bar.

SOLVED

Local mvn build is downloading log4j 1.212 with vulnerabilities

Avatar

Level 2

When running a maven build for a local installation of AEM, the very first thing it does is to reach out to the maven central repo and download an old version of log4j that has known vulnerabilities:

 

INFO] Scanning for projects...
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 346 B/s)
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (358 kB at 3.5 MB/s)

 

I can delete the library from the local repo, but the next build always puts it back.  Running "mvn dependency:tree" does not show what is requiring this library, so I'm not able to see what is requiring it.  How can I stop this library from being downloaded?

1 Accepted Solution

Avatar

Correct answer by
Level 2

Both these plugins were downloading the old log4j jars:

  • filevault-package-maven-plugin
  • content-package-maven-plugin

 

The solution was to add the following dependency exclusion to both plugins:

 

 

<dependency>
	<groupId>org.apache.xbean</groupId>
	<artifactId>xbean-reflect</artifactId>
	<version>3.4</version>
	<exclusions>
		<exclusion>
			<groupId>log4j</groupId>
			<artifactId>log4j</artifactId>
		</exclusion>
	</exclusions>
</dependency>

 

 

View solution in original post

3 Replies

Avatar

Community Advisor

Hi @Philip276742872766 
You can run this in debug mode using -X

Once you know which dependency using log4j then you can exclude log4j 

 

<dependencies>
    <!-- Other dependencies -->
    <dependency>
        <groupId>group-id</groupId>
        <artifactId>artifact-id</artifactId>
        <version>version</version>
        <exclusions>
            <exclusion>
                <groupId>unwanted-group-id</groupId>
                <artifactId>unwanted-artifact-id</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
</dependencies>

 
It is just a pure guess but could be slf4j



Arun Patidar

Avatar

Level 2

Running with the -X option shows that it's coming from Adobe Content Package Maven Plugin

which hasn't been updated since 2020.

 

DEBUG] com.day.jcr.vault:content-package-maven-plugin:jar:1.0.2
[DEBUG]    org.apache.maven:maven-core:jar:3.2.5:compile
[DEBUG]       org.apache.maven:maven-settings:jar:3.2.5:compile
[DEBUG]       org.apache.maven:maven-settings-builder:jar:3.2.5:compile
[DEBUG]       org.apache.maven:maven-repository-metadata:jar:3.2.5:compile
[DEBUG]       org.apache.maven:maven-model-builder:jar:3.2.5:compile
[DEBUG]       org.eclipse.aether:aether-impl:jar:1.0.0.v20140518:compile
[DEBUG]       org.eclipse.aether:aether-util:jar:1.0.0.v20140518:compile
[DEBUG]       org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.0.M1:compile
[DEBUG]          javax.enterprise:cdi-api:jar:1.0:compile
[DEBUG]             javax.annotation:jsr250-api:jar:1.0:compile
[DEBUG]          org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.0.M1:compile
[DEBUG]       org.sonatype.sisu:sisu-guice:jar:no_aop:3.2.3:compile
[DEBUG]          javax.inject:javax.inject:jar:1:compile
[DEBUG]          aopalliance:aopalliance:jar:1.0:compile
[DEBUG]          com.google.guava:guava:jar:16.0.1:compile
[DEBUG]       org.codehaus.plexus:plexus-interpolation:jar:1.21:compile
[DEBUG]       org.codehaus.plexus:plexus-classworlds:jar:2.5.2:compile
[DEBUG]       org.codehaus.plexus:plexus-component-annotations:jar:1.5.5:compile
[DEBUG]    org.apache.maven:maven-plugin-api:jar:3.2.5:compile
[DEBUG]    org.apache.maven:maven-project:jar:3.0-alpha-2:compile
[DEBUG]       org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile
[DEBUG]          org.apache.xbean:xbean-reflect:jar:3.4:compile
[DEBUG]             log4j:log4j:jar:1.2.12:compile
[DEBUG]             commons-logging:commons-logging-api:jar:1.1:compile

Avatar

Correct answer by
Level 2

Both these plugins were downloading the old log4j jars:

  • filevault-package-maven-plugin
  • content-package-maven-plugin

 

The solution was to add the following dependency exclusion to both plugins:

 

 

<dependency>
	<groupId>org.apache.xbean</groupId>
	<artifactId>xbean-reflect</artifactId>
	<version>3.4</version>
	<exclusions>
		<exclusion>
			<groupId>log4j</groupId>
			<artifactId>log4j</artifactId>
		</exclusion>
	</exclusions>
</dependency>