Lida Zhao created MNG-7364:
------------------------------
Summary: could log4j impair a program if it is a transitive
"provided" dependency?
Key: MNG-7364
URL: https://issues.apache.org/jira/browse/MNG-7364
Project: Maven
Issue Type: Improvement
Reporter: Lida Zhao
Log4j's problem lead me to a strange thought, I want to discuss with you this:
will the transitive "provided" dependency impair my project? Lets take an
example, I have a project's structure like this. I import "druid" which has a
provided dependency "log4j-core":
my-company:my-app2:v1.0
- com.alibaba:druid:jar:1.2.8:compile
-org.apache.logging.log4j:log4j-core:jar:2.13.3:provided
to `my-app`, `log4j-core` is a {*}transitive "provided" dependency{*}.
but "provided" scope is not transitive according to the doc, so when we use
`mvn dependency:tree`, we can only get
my-company:my-app2:v1.0
- com.alibaba:druid:jar:1.2.8:compile
Since log4j core participates in the compilation of druid, part of
`log4j-core`'s code could be inside. In the worst condition, could they also be
vulnerable? If so, how could we know `log4j-core`'s is actually inside?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
