Reputation: 41
How to prevent maven-dependency-plugin from downloading log4j?
This question is current at least as of version 3.6.1 of the plugin.
When using the maven-dependency-plugin, it downloads log4j 1.2.12. It happens when the analyze-dep-mgt goal is run, that's the goal we use, I imagine it happens with or some or all the other goals of the plugin. Running mvn dependency:tree from the command line also causes it to be downloaded.
I recognize that just having the log4j jar in the local repository is not a security risk but we have an IT department threatening to shutdown our servers if the jar appears anywhere on our filesystem. If it comes down to it we'll make some kind of script to constantly look for it and delete it when it shows up but I'm hoping there is some way to prevent it directly through some configuration change in the pom.xml.
I also see that there an open issue in the plugin's issue tracker for this problem: MDEP-902
log4j doesn't seem to be a dependency or transitive dependency of the plugin itself. I've tried adding the plugin as a dependency and running the dependency plugin tree goal and it doesn't show up as a dependency of the plugin. I've also run dependency:tree on the latest version of the plugin in it's code repository and it doesn't show up as a dependency. Is the plugin doing it's own manipulation on the local repository somehow and causing it to be downloaded?
Here are the debug log lines when it downloads the jar:
[DEBUG] Resolving artifact log4j:log4j:pom:1.2.12 from [apache.snapshots (https://repository.apache.org/snapshots, default, snapshots), central (https://repo.maven.apache.org/maven2, default, releases)]
[DEBUG] Using transporter HttpTransporter with priority 5.0 for https://repo.maven.apache.org/maven2
[DEBUG] Using connector BasicRepositoryConnector with priority 0.0 for https://repo.maven.apache.org/maven2
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Upvotes: 4
Views: 606
Answers (1)
Reputation: 31
This still happens with maven 3.9.8 maven-dependency-plugin 3.7.1
The reason is, that somehow this plugin downloads commons-logging versions 1.0, 1.0.3 and 1.1 too. While log4j dependency is marked optional in 1.0.3, it is NOT in 1.1, so that log4j 1.2.12 is downloaded into local repo unconditionally.
Fixing the .pom in commons-logging 1.1 in local repo by adding the optional flag avoids downloading log4j 1.2.12 when running mvn dependency:tree (That is not a real fix, but only a proof!)
Unfortunately it is not easy to detect the chain that leads to the downloads of the different commons-logging versions.
Upvotes: 3
Related Questions
- How to get an enum value from a string value in Java
- How to add local jar files to a Maven project?
- How to force maven update?
- How can I create an executable/runnable JAR with dependencies using Maven?
- How do I call one constructor from another in Java?
- Problems using Maven and SSL behind proxy
- How to solve "Plugin execution not covered by lifecycle configuration" for Spring Data Maven Builds
- Why is Maven downloading log4j-1.2.12.jar?
- How do I tell Maven to use the latest version of a dependency?
- Build fail while download selenium 3.0 dependency in maven