Local mvn build is downloading log4j 1.212 with vulnerabilities | Community
Skip to main content
P
Philip276742872766
Level 2
November 13, 2023
Solved

Local mvn build is downloading log4j 1.212 with vulnerabilities

  • November 13, 2023
  • 2 replies
  • 3613 views

When running a maven build for a local installation of AEM, the very first thing it does is to reach out to the maven central repo and download an old version of log4j that has known vulnerabilities:

 

INFO] Scanning for projects...
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 346 B/s)
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (358 kB at 3.5 MB/s)

 

I can delete the library from the local repo, but the next build always puts it back.  Running "mvn dependency:tree" does not show what is requiring this library, so I'm not able to see what is requiring it.  How can I stop this library from being downloaded?

Best answer by Philip276742872766

Both these plugins were downloading the old log4j jars:

  • filevault-package-maven-plugin
  • content-package-maven-plugin

 

The solution was to add the following dependency exclusion to both plugins:

 

 

<dependency> <groupId>org.apache.xbean</groupId> <artifactId>xbean-reflect</artifactId> <version>3.4</version> <exclusions> <exclusion> <groupId>log4j</groupId> <artifactId>log4j</artifactId> </exclusion> </exclusions> </dependency>

 

 

2 replies

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
November 13, 2023

Hi @philip276742872766 
You can run this in debug mode using -X

Once you know which dependency using log4j then you can exclude log4j 

 

<dependencies> <!-- Other dependencies --> <dependency> <groupId>group-id</groupId> <artifactId>artifact-id</artifactId> <version>version</version> <exclusions> <exclusion> <groupId>unwanted-group-id</groupId> <artifactId>unwanted-artifact-id</artifactId> </exclusion> </exclusions> </dependency> </dependencies>

 
It is just a pure guess but could be slf4j

Arun Patidar
    P
    Philip276742872766Author
    Level 2
    November 13, 2023

    Running with the -X option shows that it's coming from Adobe Content Package Maven Plugin

    which hasn't been updated since 2020.

     

    DEBUG] com.day.jcr.vault:content-package-maven-plugin:jar:1.0.2
[DEBUG]    org.apache.maven:maven-core:jar:3.2.5:compile
[DEBUG]       org.apache.maven:maven-settings:jar:3.2.5:compile
[DEBUG]       org.apache.maven:maven-settings-builder:jar:3.2.5:compile
[DEBUG]       org.apache.maven:maven-repository-metadata:jar:3.2.5:compile
[DEBUG]       org.apache.maven:maven-model-builder:jar:3.2.5:compile
[DEBUG]       org.eclipse.aether:aether-impl:jar:1.0.0.v20140518:compile
[DEBUG]       org.eclipse.aether:aether-util:jar:1.0.0.v20140518:compile
[DEBUG]       org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.0.M1:compile
[DEBUG]          javax.enterprise:cdi-api:jar:1.0:compile
[DEBUG]             javax.annotation:jsr250-api:jar:1.0:compile
[DEBUG]          org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.0.M1:compile
[DEBUG]       org.sonatype.sisu:sisu-guice:jar:no_aop:3.2.3:compile
[DEBUG]          javax.inject:javax.inject:jar:1:compile
[DEBUG]          aopalliance:aopalliance:jar:1.0:compile
[DEBUG]          com.google.guava:guava:jar:16.0.1:compile
[DEBUG]       org.codehaus.plexus:plexus-interpolation:jar:1.21:compile
[DEBUG]       org.codehaus.plexus:plexus-classworlds:jar:2.5.2:compile
[DEBUG]       org.codehaus.plexus:plexus-component-annotations:jar:1.5.5:compile
[DEBUG]    org.apache.maven:maven-plugin-api:jar:3.2.5:compile
[DEBUG]    org.apache.maven:maven-project:jar:3.0-alpha-2:compile
[DEBUG]       org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile
[DEBUG]          org.apache.xbean:xbean-reflect:jar:3.4:compile
[DEBUG]             log4j:log4j:jar:1.2.12:compile
[DEBUG]             commons-logging:commons-logging-api:jar:1.1:compile
      P
      Philip276742872766AuthorAccepted solution
      Level 2
      November 14, 2023

      Both these plugins were downloading the old log4j jars:

      • filevault-package-maven-plugin
      • content-package-maven-plugin

       

      The solution was to add the following dependency exclusion to both plugins:

       

       

      <dependency> <groupId>org.apache.xbean</groupId> <artifactId>xbean-reflect</artifactId> <version>3.4</version> <exclusions> <exclusion> <groupId>log4j</groupId> <artifactId>log4j</artifactId> </exclusion> </exclusions> </dependency>

       

       

        Terms & ConditionsAccessibility statement

        Loading footer...