[jira] [Commented] (MJAVADOC-726) Maven Java Doc Plugin downloads Log4j-1.2.12 dependency transitively

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/MJAVADOC-726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17767992#comment-17767992
 ] 

ASF GitHub Bot commented on MJAVADOC-726:
-----------------------------------------

elharo commented on PR #243:
URL: 
https://github.com/apache/maven-javadoc-plugin/pull/243#issuecomment-1731361715

   same IT failed in the same way in the effort to upgrade to 1.2.17. I still 
don't see how this change would cause that particular failure since neither 
doxia nor log4j is involved in that code path. Need to check what happens with 
an innocuous change




> Maven Java Doc Plugin downloads Log4j-1.2.12 dependency transitively
> --------------------------------------------------------------------
>
>                 Key: MJAVADOC-726
>                 URL: https://issues.apache.org/jira/browse/MJAVADOC-726
>             Project: Maven Javadoc Plugin
>          Issue Type: Bug
>          Components: jar, javadoc
>    Affects Versions: 3.4.0
>         Environment: Windows 10
>            Reporter: Yogesh Desai
>            Assignee: Elliotte Rusty Harold
>            Priority: Major
>              Labels: Vulnerability, vulnerability
>             Fix For: wontfix-candidate, waiting-for-feedback
>
>         Attachments: log4j-1.2.12.png
>
>
> I have observed that Maven Javadoc Plug-in v3.4.0 downloads Log4j-1.2.12 
> dependency transitively in local maven repository i.e. .m2 folder upon 
> running maven update in eclipse IDE or from command line. Since Log4j-1.X is 
> strictly prohibited for use in many organisations, we had no other option 
> that not using the plugin. Please plan to fix this issue and get rid of the 
> log4j-1.X dependency. 
> *Steps to Reproduce-*
> 1. Add maven javadoc plugin v3.4.0 in your project POM file
>          <plugin>
>                 <groupId>org.apache.maven.plugins</groupId>
>                 <artifactId>maven-javadoc-plugin</artifactId>
>                 <version>3.4.0</version>
>                 <configuration>
>                     <encoding>UTF-8</encoding>
>                     <additionalparam>-Xdoclint:none</additionalparam>
>                 </configuration>
>                 <executions>
>                     <execution>
>                         <id>attach-javadocs</id>
>                         <goals>
>                             <goal>jar</goal>
>                         </goals>
>                     </execution>
>                 </executions>
>             </plugin>
> 2. Observe your local maven repository ie. .m2 folder and see if there are 
> any log4j-1.2.12 artifacts are present in log4j folder of it. If artifacts 
> are present already, delete them for now.
> 3. Run maven update command for your project (additionally run maven install 
> command as needed)
> 4. Observe your local maven repository ie. .m2 folder and see if there are 
> any log4j-1.2.12 artifacts are generated with latest timestamp inside log4j 
> folder.
> Attached is the screenshot showing, maven javadoc plugin v3.4.0 used in 
> POM.xml and log4j-1.2.12 dependency getting downloaded in local maven 
> repository i.e. .m2 folder.
> Let me know if any other information is required. Thanks!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)