Adobe Experience Manager Sites & More

Hi all,

When running a maven build for a local installation of AEM, the very first thing it does is to reach out to the maven central repo and download an old version of log4j that has known vulnerabilities

I want latest version needs to be download for log4j

[DEBUG] Importing foreign packages into class realm extension>com.day.jcr.vault:content-package-maven-plugin:1.0.2
[DEBUG]   Imported:  < maven.api
[DEBUG] Populating class realm extension>com.day.jcr.vault:content-package-maven-plugin:1.0.2
[DEBUG]   Included: com.day.jcr.vault:content-package-maven-plugin:jar:1.0.2
[DEBUG]   Included: javax.enterprise:cdi-api:jar:1.0
[DEBUG]   Included: javax.annotation:jsr250-api:jar:1.0
[DEBUG]   Included: org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.0.M1
[DEBUG]   Included: org.sonatype.sisu:sisu-guice:jar:no_aop:3.2.3
[DEBUG]   Included: aopalliance:aopalliance:jar:1.0
[DEBUG]   Included: com.google.guava:guava:jar:16.0.1
[DEBUG]   Included: org.codehaus.plexus:plexus-interpolation:jar:1.21
[DEBUG]   Included: org.codehaus.plexus:plexus-component-annotations:jar:1.5.5
[DEBUG]   Included: org.apache.xbean:xbean-reflect:jar:3.4
[DEBUG]   Included: log4j:log4j:jar:1.2.12


[DEBUG] Created new class realm extension>org.apache.jackrabbit:filevault-package-maven-plugin:1.0.3
[DEBUG] Importing foreign packages into class realm extension>org.apache.jackrabbit:filevault-package-maven-plugin:1.0.3
[DEBUG]   Imported:  < maven.api
[DEBUG] Populating class realm extension>org.apache.jackrabbit:filevault-package-maven-plugin:1.0.3
[DEBUG]   Included: org.apache.jackrabbit:filevault-package-maven-plugin:jar:1.0.3
[DEBUG]   Included: org.apache.jackrabbit.vault:org.apache.jackrabbit.vault:jar:3.2.0
[DEBUG]   Included: javax.jcr:jcr:jar:2.0
[DEBUG]   Included: org.apache.maven:maven-builder-support:jar:3.3.9
[DEBUG]   Included: com.google.guava:guava:jar:18.0
[DEBUG]   Included: javax.enterprise:cdi-api:jar:1.0
[DEBUG]   Included: javax.annotation:jsr250-api:jar:1.0
[DEBUG]   Included: org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.2
[DEBUG]   Included: com.google.inject:guice:jar:no_aop:4.0
[DEBUG]   Included: aopalliance:aopalliance:jar:1.0
[DEBUG]   Included: org.codehaus.plexus:plexus-interpolation:jar:1.21
[DEBUG]   Included: org.codehaus.plexus:plexus-component-annotations:jar:1.6
[DEBUG]   Included: org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3
[DEBUG]   Included: org.sonatype.plexus:plexus-cipher:jar:1.4
[DEBUG]   Included: org.apache.commons:commons-lang3:jar:3.4
[DEBUG]   Included: org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.5
[DEBUG]   Included: org.apache.xbean:xbean-reflect:jar:3.4
[DEBUG]   Included: log4j:log4j:jar:1.2.12



[DEBUG]    org.apache.maven:maven-plugin-api:jar:3.2.5:compile
[DEBUG]    org.apache.maven:maven-project:jar:3.0-alpha-2:compile
[DEBUG]       org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile
[DEBUG]          org.apache.xbean:xbean-reflect:jar:3.4:compile
[DEBUG]             log4j:log4j:jar:1.2.12:compile
[DEBUG]             commons-logging:commons-logging-api:jar:1.1:compile


Downloading from adobe-public-releases: https://repo.adobe.com/nexus/content/groups/public/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 236 B/s)
Downloading from adobe-public-releases: https://repo.adobe.com/nexus/content/groups/public/log4j/log4j/1.2.12/log4j-1.2.12.jar
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (358 kB at 527 kB/s)

I tried with these dependencies but not working for me

<dependency>
  <groupId>org.apache.xbean</groupId>
  <artifactId>xbean-reflect</artifactId>
  <version>3.4</version>
  <exclusions>
    <exclusion>
      <groupId>log4j</groupId>
      <artifactId>log4j</artifactId>
    </exclusion>
  </exclusions>
</dependency>

<dependency>
  <groupId>org.codehaus.plexus</groupId>
  <artifactId>plexus-container-default</artifactId>
  <version>1.0-beta-3.0.5</version>
  <exclusions>
    <exclusion>
      <groupId>log4j</groupId>
      <artifactId>log4j</artifactId>
    </exclusion>
</dependency>

If any have some idea please suggest some solution to resolve this issue

Thanks

Nandheswara