> https://github.com/jveverka/mvn-dependency-log4j/commit/ac87977c19bb2ee2564d15fa87f255d621a4706d
https://github.com/pzygielo/mvn-dependency-log4j/runs/5425284512?check_suite_focus=true#step:5:1
No log4j:1.2.12:jar is downloaded in that reproducer.
log4j/log4j is excluded by commons-logging from
On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote:
>
> Can confirm this project downloads log4j 1.12.12 for me
As I see it - you confirm something else.
> Failed to read artifact descriptor for log4j:log4j:jar:1.2.12:
Failed to read artifact descriptor for log4j:log4j:jar:1.2.12:
_artifact des
You might need to raise a bug with your security scanner regarding false
positives.
So your dependency tree I only see log4j 2.17.1; i.e.
Your Pom
- org.springframework.boot:spring-boot-starter-web:2.6.4
-- org.springframework.boot:spring-boot-starter-web:2.6.4
--- org.springframework.boot:spring
Hi,
Below I am pasting some of the information on the 3 vulnerabilities from
our report. FYI, I removed the information about the server details and
also trimmed the file path. This report is generated by the Tenable agent.
Severity scandate Vuln Name Description Summary Fix CVE ID CVS Base
Sco
Hi David
Just for clarification: we are not relying on the maven dependency plugin
at runtime. Our runtime is perfectly clear of log4j vulnerabilities.
The problem is that our security scanners are scanning gitlab runner nodes
(virtual machines on which we compile and package our application) and
Juraj,
I have run this command on your reproducer and in "tmp" I cannot find
log4j versions other then 2.17.1
mvn clean install -X -Dmaven.repo.local=tmp > out.txt
Enrico
Il giorno lun 28 feb 2022 alle ore 13:52 Juraj Veverka
ha scritto:
>
> Hi David
>
> Many thanks for your email, I really app
Hi David
Many thanks for your email, I really appreciate your reply. This is an
isolated example of the problem.
https://github.com/jveverka/mvn-dependency-log4j
You can find all repro steps there. In case of any questions, feel free
to contact me.
Kind regards
Juraj Veverka
On Mon, Feb 28, 20
Where I work we decided to address log4j vulnerabilities only for components
directly used by the application and actually performing logging.
We ignored transitive dependencies and maven plug-ins.
I’m curious about this use case from Venu though, what application would rely
on the maven dependen
Hi,
Please provide more information, like plugin, mven, os version.
We also need an example project which reproduces your issue.
When we can't reproduce we can't help.
pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav
napisał(a):
> Hi team,
>
> Can I expect any response? Is this the right email ad
Hi team,
Can I expect any response? Is this the right email address for my question?
Thanks,
Venu
On Thu, Feb 24, 2022 at 6:47 AM Jaladi, Venumadhav <
jaladi.venumad...@verizon.com> wrote:
> Hi team,
>
> We are using the Maven Dependency Plugin in one of our projects and our
> scanning tools
Hi team,
We are using the Maven Dependency Plugin in one of our projects and our
scanning tools are showing multiple vulnerabilities related to Log4j
(CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305,
CVE-2022-23307 and CVE-2021-4104).
We would like to know if there are any plans to
11 matches
Mail list logo
