[
https://issues.apache.org/jira/browse/MDEP-902?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Elliotte Rusty Harold resolved MDEP-902.
----------------------------------------
Resolution: Fixed
This appears to no longer be the case at head.
If you still see this please provide details on how you know log4j is in the
tree.
> plugin has dependency on log4j version with vulnerability
> ---------------------------------------------------------
>
> Key: MDEP-902
> URL: https://issues.apache.org/jira/browse/MDEP-902
> Project: Maven Dependency Plugin
> Issue Type: Dependency upgrade
> Affects Versions: 3.6.1
> Reporter: Cary Mader
> Priority: Major
>
> We have Maven projects using dependency plugin, when it executes it's causing
> maven to pull the log4j jar version 1.2.12 to local maven repos on build
> servers, and then scanners are flagging that jar as having a vulnerability,
> which causes us a lot of noise.
> dependency gav is log4j / log4j / 1.2.12
> have seen this with latest version, 3.6.1
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
