log4j Vulnerability in Dependencies

Question

log4j Vulnerability in Dependencies

roche-xx opened this issue 3 years ago · 1 comments

We're currently rooting out dependencies to expunge the recently-reported issue with log4j, and this is the last nested dependency we need to remove. See below for the maven dependency tree:

[INFO] +- com.github.kongchen:swagger-maven-plugin:jar:3.1.8:compile
[INFO] |  +- org.apache.maven:maven-artifact:jar:2.2.1:compile
[INFO] |  |  \- org.codehaus.plexus:plexus-utils:jar:1.5.15:compile
[INFO] |  +- org.apache.maven:maven-plugin-api:jar:2.2.1:compile
[INFO] |  +- org.apache.maven:maven-project:jar:2.2.1:compile
[INFO] |  |  +- org.apache.maven:maven-settings:jar:2.2.1:compile
[INFO] |  |  +- org.apache.maven:maven-profile:jar:2.2.1:compile
[INFO] |  |  +- org.apache.maven:maven-artifact-manager:jar:2.2.1:compile
[INFO] |  |  |  \- backport-util-concurrent:backport-util-concurrent:jar:3.1:compile
[INFO] |  |  +- org.apache.maven:maven-plugin-registry:jar:2.2.1:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-interpolation:jar:1.11:compile
[INFO] |  |  \- org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile
[INFO] |  +- org.apache.maven:maven-model:jar:2.2.1:compile
[INFO] |  +- org.apache.maven:maven-core:jar:2.2.1:compile
[INFO] |  |  +- org.apache.maven.wagon:wagon-file:jar:1.0-beta-6:runtime
[INFO] |  |  +- org.apache.maven:maven-plugin-parameter-documenter:jar:2.2.1:compile
[INFO] |  |  +- org.apache.maven.wagon:wagon-http-lightweight:jar:1.0-beta-6:compile
[INFO] |  |  |  \- org.apache.maven.wagon:wagon-http-shared:jar:1.0-beta-6:compile
[INFO] |  |  |     +- nekohtml:xercesMinimal:jar:1.9.6.2:compile
[INFO] |  |  |     \- nekohtml:nekohtml:jar:1.9.6.2:compile
[INFO] |  |  +- org.apache.maven.wagon:wagon-http:jar:1.0-beta-6:compile
[INFO] |  |  +- org.apache.maven.wagon:wagon-webdav-jackrabbit:jar:1.0-beta-6:runtime
[INFO] |  |  |  \- org.apache.jackrabbit:jackrabbit-webdav:jar:1.5.0:runtime
[INFO] |  |  |     +- org.apache.jackrabbit:jackrabbit-jcr-commons:jar:1.5.0:runtime
[INFO] |  |  |     \- commons-httpclient:commons-httpclient:jar:3.0:runtime
[INFO] |  |  +- org.slf4j:jcl-over-slf4j:jar:1.7.32:runtime
[INFO] |  |  +- org.apache.maven.reporting:maven-reporting-api:jar:2.2.1:compile
[INFO] |  |  |  +- org.apache.maven.doxia:doxia-sink-api:jar:1.1:compile
[INFO] |  |  |  \- org.apache.maven.doxia:doxia-logging-api:jar:1.1:compile
[INFO] |  |  +- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-6:compile
[INFO] |  |  +- org.apache.maven:maven-repository-metadata:jar:2.2.1:compile
[INFO] |  |  +- org.apache.maven:maven-error-diagnostics:jar:2.2.1:compile
[INFO] |  |  +- commons-cli:commons-cli:jar:1.2:compile
[INFO] |  |  +- org.apache.maven.wagon:wagon-ssh-external:jar:1.0-beta-6:runtime
[INFO] |  |  |  \- org.apache.maven.wagon:wagon-ssh-common:jar:1.0-beta-6:compile
[INFO] |  |  +- org.apache.maven:maven-plugin-descriptor:jar:2.2.1:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-interactivity-api:jar:1.0-alpha-4:compile
[INFO] |  |  +- org.apache.maven:maven-monitor:jar:2.2.1:compile
[INFO] |  |  +- org.apache.maven.wagon:wagon-ssh:jar:1.0-beta-6:compile
[INFO] |  |  |  \- com.jcraft:jsch:jar:0.1.38:compile
[INFO] |  |  +- classworlds:classworlds:jar:1.1:compile
[INFO] |  |  \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile
[INFO] |  |     \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile
[INFO] |  +- io.swagger:swagger-servlet:jar:1.5.21:compile
[INFO] |  +- org.reflections:reflections:jar:0.9.9:compile
[INFO] |  |  \- com.google.code.findbugs:annotations:jar:2.0.1:compile
vvvvvvvvvvvvvvvvvvvvvv
[INFO] |  +- log4j:log4j:jar:1.2.16:compile
^^^^^^^^^^^^^^^^^^^
[INFO] |  +- io.swagger:swagger-jersey-jaxrs:jar:1.5.21:compile
[INFO] |  |  +- com.sun.jersey.contribs:jersey-multipart:jar:1.13:compile
[INFO] |  |  |  \- org.jvnet:mimepull:jar:1.6:compile
[INFO] |  |  \- com.sun.jersey:jersey-core:jar:1.13:compile
[INFO] |  +- com.sun.jersey:jersey-server:jar:1.13:compile
[INFO] |  |  \- asm:asm:jar:3.1:compile
[INFO] |  +- org.springframework:spring-context:jar:5.3.9:compile
[INFO] |  |  +- org.springframework:spring-aop:jar:5.3.9:compile
[INFO] |  |  +- org.springframework:spring-beans:jar:5.3.9:compile
[INFO] |  |  +- org.springframework:spring-core:jar:5.3.9:compile
[INFO] |  |  |  \- org.springframework:spring-jcl:jar:5.3.9:compile
[INFO] |  |  \- org.springframework:spring-expression:jar:5.3.9:compile
[INFO] |  +- org.springframework:spring-web:jar:5.3.9:compile
[INFO] |  \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.12.1:compile
[INFO] |     \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile

Answer 1 · 2022-04-14T22:41:16.000Z

I did create a pull request that should fix this problem (I have the same issue with log4j:1.2 keeping coming back in my local repo due to swagger-maven-plugin..):
#879