[ 
https://issues.apache.org/jira/browse/MDEP-902?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Elliotte Rusty Harold closed MDEP-902.
--------------------------------------

> plugin has dependency on log4j version with vulnerability
> ---------------------------------------------------------
>
>                 Key: MDEP-902
>                 URL: https://issues.apache.org/jira/browse/MDEP-902
>             Project: Maven Dependency Plugin
>          Issue Type: Dependency upgrade
>    Affects Versions: 3.6.1
>            Reporter: Cary Mader
>            Priority: Major
>
> We have Maven projects using dependency plugin, when it executes it's causing 
> maven to pull the log4j jar version 1.2.12 to local maven repos on build 
> servers, and then scanners are flagging that jar as having a vulnerability, 
> which causes us a lot of noise.
> dependency gav is  log4j / log4j / 1.2.12 
> have seen this with latest version, 3.6.1



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to