Hi David
Just for clarification: we are not relying on the maven dependency plugin
at runtime. Our runtime is perfectly clear of log4j vulnerabilities.
The problem is that our security scanners are scanning gitlab runner nodes
(virtual machines on which we compile and package our application) and
Robert, All,
The Release Candidates of JDK 18 have been released [1]. At this stage,
only P1 issues will be evaluated [2]. And with the JDK 18 General
Availability sets for March 22nd, it is now time to shift the focus to
JDK 19. I'd like to thank those of you who have already provided
feedba
Juraj,
I have run this command on your reproducer and in "tmp" I cannot find
log4j versions other then 2.17.1
mvn clean install -X -Dmaven.repo.local=tmp > out.txt
Enrico
Il giorno lun 28 feb 2022 alle ore 13:52 Juraj Veverka
ha scritto:
>
> Hi David
>
> Many thanks for your email, I really app
Hi David
Many thanks for your email, I really appreciate your reply. This is an
isolated example of the problem.
https://github.com/jveverka/mvn-dependency-log4j
You can find all repro steps there. In case of any questions, feel free
to contact me.
Kind regards
Juraj Veverka
On Mon, Feb 28, 20
Where I work we decided to address log4j vulnerabilities only for components
directly used by the application and actually performing logging.
We ignored transitive dependencies and maven plug-ins.
I’m curious about this use case from Venu though, what application would rely
on the maven dependen
FYI as Im testing a few more projects with this ci reporting enabled.
POC has been moved here
https://ci-maven.apache.org/job/Maven/job/ci-reporting-test/job/maven-compiler-plugin/job/ci-reporting/
each project I'm trying will have a branch called ci-reporting.
started a PR as well to move the prof
Hi,
Please provide more information, like plugin, mven, os version.
We also need an example project which reproduces your issue.
When we can't reproduce we can't help.
pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav
napisał(a):
> Hi team,
>
> Can I expect any response? Is this the right email ad
