
Michael Osipov updated MJAVADOC-726:
    Fix Version/s: wontfix-candidate

> Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively
> ----------------------------------------------------------------------------
>                 Key: MJAVADOC-726
>                 URL: https://issues.apache.org/jira/browse/MJAVADOC-726
>             Project: Maven Javadoc Plugin
>          Issue Type: Bug
>          Components: jar, javadoc
>    Affects Versions: 3.4.0
>         Environment: Windows 10
>            Reporter: Yogesh Desai
>            Priority: Major
>              Labels: Vulnerability, vulnerability
>             Fix For: wontfix-candidate, waiting-for-feedback
>         Attachments: log4j-1.2.12.png
> I have observed that Maven Javadoc Plug-in v3.4.0 downloads Log4j-1.2.12 
> dependency transitively in local maven repository i.e. .m2 folder upon 
> running maven update in eclipse IDE or from command line. Since Log4j-1.X is 
> strictly prohibited for use in many organisations, we had no other option 
> that not using the plugin. Please plan to fix this issue and get rid of the 
> log4j-1.X dependency. 
> *Steps to Reproduce-*
> 1. Add maven javadoc plugin v3.4.0 in your project POM file
>          <plugin>
>                 <groupId>org.apache.maven.plugins</groupId>
>                 <artifactId>maven-javadoc-plugin</artifactId>
>                 <version>3.4.0</version>
>                 <configuration>
>                     <encoding>UTF-8</encoding>
>                     <additionalparam>-Xdoclint:none</additionalparam>
>                 </configuration>
>                 <executions>
>                     <execution>
>                         <id>attach-javadocs</id>
>                         <goals>
>                             <goal>jar</goal>
>                         </goals>
>                     </execution>
>                 </executions>
>             </plugin>
> 2. Observe your local maven repository ie. .m2 folder and see if there are 
> any log4j-1.2.12 artifacts are present in log4j folder of it. If artifacts 
> are present already, delete them for now.
> 3. Run maven update command for your project (additionally run maven install 
> command as needed)
> 4. Observe your local maven repository ie. .m2 folder and see if there are 
> any log4j-1.2.12 artifacts are generated with latest timestamp inside log4j 
> folder.
> Attached is the screenshot showing, maven javadoc plugin v3.4.0 used in 
> POM.xml and log4j-1.2.12 dependency getting downloaded in local maven 
> repository i.e. .m2 folder.
> Let me know if any other information is required. Thanks!

This message was sent by Atlassian Jira

Reply via email to