When running a maven build for a local installation of AEM, the very first thing it does is to reach out to the maven central repo and download an old version of log4j that has known vulnerabilities:
INFO] Scanning for projects...
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 346 B/s)
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (358 kB at 3.5 MB/s)
I can delete the library from the local repo, but the next build always puts it back. Running "mvn dependency:tree" does not show what is requiring this library, so I'm not able to see what is requiring it. How can I stop this library from being downloaded?
Solved! Go to Solution.
Views
Replies
Total Likes
Both these plugins were downloading the old log4j jars:
The solution was to add the following dependency exclusion to both plugins:
<dependency>
<groupId>org.apache.xbean</groupId>
<artifactId>xbean-reflect</artifactId>
<version>3.4</version>
<exclusions>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>
Views
Replies
Total Likes
Hi @Philip276742872766
You can run this in debug mode using -X
Once you know which dependency using log4j then you can exclude log4j
<dependencies>
<!-- Other dependencies -->
<dependency>
<groupId>group-id</groupId>
<artifactId>artifact-id</artifactId>
<version>version</version>
<exclusions>
<exclusion>
<groupId>unwanted-group-id</groupId>
<artifactId>unwanted-artifact-id</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
It is just a pure guess but could be slf4j
Running with the -X option shows that it's coming from Adobe Content Package Maven Plugin
which hasn't been updated since 2020.
DEBUG] com.day.jcr.vault:content-package-maven-plugin:jar:1.0.2 [DEBUG] org.apache.maven:maven-core:jar:3.2.5:compile [DEBUG] org.apache.maven:maven-settings:jar:3.2.5:compile [DEBUG] org.apache.maven:maven-settings-builder:jar:3.2.5:compile [DEBUG] org.apache.maven:maven-repository-metadata:jar:3.2.5:compile [DEBUG] org.apache.maven:maven-model-builder:jar:3.2.5:compile [DEBUG] org.eclipse.aether:aether-impl:jar:1.0.0.v20140518:compile [DEBUG] org.eclipse.aether:aether-util:jar:1.0.0.v20140518:compile [DEBUG] org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.0.M1:compile [DEBUG] javax.enterprise:cdi-api:jar:1.0:compile [DEBUG] javax.annotation:jsr250-api:jar:1.0:compile [DEBUG] org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.0.M1:compile [DEBUG] org.sonatype.sisu:sisu-guice:jar:no_aop:3.2.3:compile [DEBUG] javax.inject:javax.inject:jar:1:compile [DEBUG] aopalliance:aopalliance:jar:1.0:compile [DEBUG] com.google.guava:guava:jar:16.0.1:compile [DEBUG] org.codehaus.plexus:plexus-interpolation:jar:1.21:compile [DEBUG] org.codehaus.plexus:plexus-classworlds:jar:2.5.2:compile [DEBUG] org.codehaus.plexus:plexus-component-annotations:jar:1.5.5:compile [DEBUG] org.apache.maven:maven-plugin-api:jar:3.2.5:compile [DEBUG] org.apache.maven:maven-project:jar:3.0-alpha-2:compile [DEBUG] org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile [DEBUG] org.apache.xbean:xbean-reflect:jar:3.4:compile [DEBUG] log4j:log4j:jar:1.2.12:compile [DEBUG] commons-logging:commons-logging-api:jar:1.1:compile
Both these plugins were downloading the old log4j jars:
The solution was to add the following dependency exclusion to both plugins:
<dependency>
<groupId>org.apache.xbean</groupId>
<artifactId>xbean-reflect</artifactId>
<version>3.4</version>
<exclusions>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies