Expand my Community achievements bar.

Nomination window for the Adobe Community Advisor Program, Class of 2025, is now open!
SOLVED

Local mvn build is downloading log4j 1.212 with vulnerabilities

Avatar

Level 2

When running a maven build for a local installation of AEM, the very first thing it does is to reach out to the maven central repo and download an old version of log4j that has known vulnerabilities:

 

INFO] Scanning for projects...
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 346 B/s)
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (358 kB at 3.5 MB/s)

 

I can delete the library from the local repo, but the next build always puts it back.  Running "mvn dependency:tree" does not show what is requiring this library, so I'm not able to see what is requiring it.  How can I stop this library from being downloaded?

1 Accepted Solution

Avatar

Correct answer by
Level 2

Both these plugins were downloading the old log4j jars:

  • filevault-package-maven-plugin
  • content-package-maven-plugin

 

The solution was to add the following dependency exclusion to both plugins:

 

 

<dependency>
	<groupId>org.apache.xbean</groupId>
	<artifactId>xbean-reflect</artifactId>
	<version>3.4</version>
	<exclusions>
		<exclusion>
			<groupId>log4j</groupId>
			<artifactId>log4j</artifactId>
		</exclusion>
	</exclusions>
</dependency>

 

 

View solution in original post

3 Replies

Avatar

Community Advisor

Hi @Philip276742872766 
You can run this in debug mode using -X

Once you know which dependency using log4j then you can exclude log4j 

 

<dependencies>
    <!-- Other dependencies -->
    <dependency>
        <groupId>group-id</groupId>
        <artifactId>artifact-id</artifactId>
        <version>version</version>
        <exclusions>
            <exclusion>
                <groupId>unwanted-group-id</groupId>
                <artifactId>unwanted-artifact-id</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
</dependencies>

 
It is just a pure guess but could be slf4j



Arun Patidar

Avatar

Level 2

Running with the -X option shows that it's coming from Adobe Content Package Maven Plugin

which hasn't been updated since 2020.

 

DEBUG] com.day.jcr.vault:content-package-maven-plugin:jar:1.0.2
[DEBUG]    org.apache.maven:maven-core:jar:3.2.5:compile
[DEBUG]       org.apache.maven:maven-settings:jar:3.2.5:compile
[DEBUG]       org.apache.maven:maven-settings-builder:jar:3.2.5:compile
[DEBUG]       org.apache.maven:maven-repository-metadata:jar:3.2.5:compile
[DEBUG]       org.apache.maven:maven-model-builder:jar:3.2.5:compile
[DEBUG]       org.eclipse.aether:aether-impl:jar:1.0.0.v20140518:compile
[DEBUG]       org.eclipse.aether:aether-util:jar:1.0.0.v20140518:compile
[DEBUG]       org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.0.M1:compile
[DEBUG]          javax.enterprise:cdi-api:jar:1.0:compile
[DEBUG]             javax.annotation:jsr250-api:jar:1.0:compile
[DEBUG]          org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.0.M1:compile
[DEBUG]       org.sonatype.sisu:sisu-guice:jar:no_aop:3.2.3:compile
[DEBUG]          javax.inject:javax.inject:jar:1:compile
[DEBUG]          aopalliance:aopalliance:jar:1.0:compile
[DEBUG]          com.google.guava:guava:jar:16.0.1:compile
[DEBUG]       org.codehaus.plexus:plexus-interpolation:jar:1.21:compile
[DEBUG]       org.codehaus.plexus:plexus-classworlds:jar:2.5.2:compile
[DEBUG]       org.codehaus.plexus:plexus-component-annotations:jar:1.5.5:compile
[DEBUG]    org.apache.maven:maven-plugin-api:jar:3.2.5:compile
[DEBUG]    org.apache.maven:maven-project:jar:3.0-alpha-2:compile
[DEBUG]       org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile
[DEBUG]          org.apache.xbean:xbean-reflect:jar:3.4:compile
[DEBUG]             log4j:log4j:jar:1.2.12:compile
[DEBUG]             commons-logging:commons-logging-api:jar:1.1:compile

Avatar

Correct answer by
Level 2

Both these plugins were downloading the old log4j jars:

  • filevault-package-maven-plugin
  • content-package-maven-plugin

 

The solution was to add the following dependency exclusion to both plugins:

 

 

<dependency>
	<groupId>org.apache.xbean</groupId>
	<artifactId>xbean-reflect</artifactId>
	<version>3.4</version>
	<exclusions>
		<exclusion>
			<groupId>log4j</groupId>
			<artifactId>log4j</artifactId>
		</exclusion>
	</exclusions>
</dependency>