[ https://issues.apache.org/jira/browse/MJAVADOC-726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17690521#comment-17690521 ]
Elliotte Rusty Harold commented on MJAVADOC-726: ------------------------------------------------ The sample project link above seems to be 404 > Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively > ---------------------------------------------------------------------------- > > Key: MJAVADOC-726 > URL: https://issues.apache.org/jira/browse/MJAVADOC-726 > Project: Maven Javadoc Plugin > Issue Type: Bug > Components: jar, javadoc > Affects Versions: 3.4.0 > Environment: Windows 10 > Reporter: Yogesh Desai > Priority: Major > Labels: Vulnerability, vulnerability > Fix For: wontfix-candidate, waiting-for-feedback > > Attachments: log4j-1.2.12.png > > > I have observed that Maven Javadoc Plug-in v3.4.0 downloads Log4j-1.2.12 > dependency transitively in local maven repository i.e. .m2 folder upon > running maven update in eclipse IDE or from command line. Since Log4j-1.X is > strictly prohibited for use in many organisations, we had no other option > that not using the plugin. Please plan to fix this issue and get rid of the > log4j-1.X dependency. > *Steps to Reproduce-* > 1. Add maven javadoc plugin v3.4.0 in your project POM file > <plugin> > <groupId>org.apache.maven.plugins</groupId> > <artifactId>maven-javadoc-plugin</artifactId> > <version>3.4.0</version> > <configuration> > <encoding>UTF-8</encoding> > <additionalparam>-Xdoclint:none</additionalparam> > </configuration> > <executions> > <execution> > <id>attach-javadocs</id> > <goals> > <goal>jar</goal> > </goals> > </execution> > </executions> > </plugin> > 2. Observe your local maven repository ie. .m2 folder and see if there are > any log4j-1.2.12 artifacts are present in log4j folder of it. If artifacts > are present already, delete them for now. > 3. Run maven update command for your project (additionally run maven install > command as needed) > 4. Observe your local maven repository ie. .m2 folder and see if there are > any log4j-1.2.12 artifacts are generated with latest timestamp inside log4j > folder. > Attached is the screenshot showing, maven javadoc plugin v3.4.0 used in > POM.xml and log4j-1.2.12 dependency getting downloaded in local maven > repository i.e. .m2 folder. > Let me know if any other information is required. Thanks! -- This message was sent by Atlassian Jira (v8.20.10#820010)