堆栈内存溢出
  简体   繁体   English

为什么Maven下载log4j-1.2.12.jar?

[英]Why is Maven downloading log4j-1.2.12.jar?

 原文  2021-12-24 14:15:58       maven/ log4j/ pom.xml/ log4j2/ cve-2021-44228

问题描述

I am trying to remove all the vulnerable log4j dependencies from my maven project.我正在尝试从我的 maven 项目中删除所有易受攻击的 log4j 依赖项。

I am using log4j 2.16 dependency in my pom and have added exclusions for log4j and sl4j in other dependencies.我在我的 pom 中使用log4j 2.16依赖项,并在其他依赖项中添加了 log4j 和 sl4j 的排除项。

Still, whenever I run the maven package goal it downloads log4j 1.2.12 jar.尽管如此,每当我运行 maven package 目标时,它都会下载log4j 1.2.12 Z68140485FCBF434A9DACD2D

[INFO] Copying 1 resource
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ Test ---
Downloading: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 0.1 KB/sec)
Downloading: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar
Downloaded: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (350 KB at 101.6 KB/sec)

I even ran the mvn dependency:tree command and it only shows log4j 2.16 .我什至运行了mvn dependency:tree命令,它只显示log4j 2.16

What could be the cause for it to download log4j 1.2.12 jar?下载log4j 1.2.12 jar 的原因可能是什么?

1 个解决方案

解决方案1
 3 已采纳  2021-12-24 14:52:31

TL;DR: this is not a security concern, but if you think it is, upgrade your maven-compiler-plugin . TL;DR:这不是安全问题,但如果您认为是,请升级您的maven-compiler-plugin

Maven plugins , ie the libraries that perform the actual work in building your project have also dependencies: log4j-1.2.12 is a (transitive) dependency of maven-compiler-plugin-3.1 , which your project uses. Maven plugins ,即在构建项目中执行实际工作的库也具有依赖项: log4j-1.2.12maven-compiler-plugin-3.1的(传递)依赖项,您的项目使用它。

Therefore the fact that Maven downloads log4j does not mean that it will be packaged with your application.因此,Maven 下载log4j并不意味着它将与您的应用程序一起打包。

Remark : Version 3.1 of the maven-compiler-plugin is a rather old version.备注maven-compiler-plugin的 3.1 版本是一个相当旧的版本。 This version is specified in the default lifecycle bindings and for compatibility reasons will never be upgraded.此版本在默认生命周期绑定中指定,出于兼容性原因将永远不会升级。 Nevertheless you should specify a newer version in your POM file, eg:尽管如此,您应该在您的 POM 文件中指定一个较新的版本,例如:

    <build>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-compiler-plugin</artifactId>
                    <version>3.10.1</version>
                </plugin>
            </plugins>
        </pluginManagement>
    </build>

Newer version of maven-compiler-plugin do not have a log4j:log4j dependency.较新版本的maven-compiler-plugin没有log4j:log4j依赖项。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我在 Maven 项目上使用 log4j 1.2.12,但它没有显示“调试”消息。 我该如何解决这个问题? - I am using log4j 1.2.12 on a maven project, but it isn't displaying 'debug' messages. How can I resolve this? HttpClient,Log4J和Maven jar冲突 - HttpClient, Log4J and Maven jar conflicts 将带有log4j2的Maven项目打包到jar中 - Packaging a maven project with log4j2 into a jar maven jar-with-dependencies log4j - maven jar-with-dependencies log4j 使用log4j 1.2.17发出“此SLF4J版本需要log4j版本1.2.12”的警告 - “This version of SLF4J requires log4j version 1.2.12” warning with log4j 1.2.17 Jar 未从 maven 下载 - Jar not downloading from maven 具有依赖关系的Maven jar不包括Log4j - Maven jar-with-dependencies doesn't include Log4j log4j,maven jar插件和属性文件 - log4j, maven jar plugin, and properties file Maven:将本地log4j jar设置为依赖项时出错 - Maven: Error whan setting local log4j jar as dependency 无法确定为什么Maven下载jar文件 - Can't determine why maven is downloading a jar file
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM