jira-importer opened a new issue, #70: URL: https://github.com/apache/maven-apache-resources/issues/70
**[NRYet](https://issues.apache.org/jira/secure/ViewProfile.jspa?name=JIRAUSER281746)** opened **[MASFRES-50](https://issues.apache.org/jira/browse/MASFRES-50?redirect=false)** and commented Recently detecting log4j in programs is an urgent job for many companies. I know many SCA tools such as OWASP, Steady, snyk support doing this. But many log4j deps are included as "provided" in transitive dependencies. such as log4j in `com.alibaba:druid`, lets consider the following condition: my-company:my-app2:v1.0 \- com.alibaba:druid:jar:1.2.8:compile \-org.apache.logging.log4j:log4j-core:jar:2.13.3:provided In this case, none of the above tools can detect log4j. But log4j is actually called in durid, and some of the vulnerable codes might be compiled into druid, yet we don't know it if we didn't checking druid's pom manually. my question is: 1. Why doesn't maven list the transitive provided dependencies in the tree? Just for a better understanding of the dependency relationship. 2. Without checking poms one by one manually, how could we resolve the relationship such as log4j to my-app2? more detailed description is in: https://stackoverflow.com/questions/70337939/how-could-we-resolve-the-transitive-provided-dependencies-in-maven --- No further details from [MASFRES-50](https://issues.apache.org/jira/browse/MASFRES-50?redirect=false) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
