This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

maven-compiler-plugin issue with log4j

Posted on 08-11-2023 09:09 PM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

General information:

With in Apigee at times you may want to implement  custom java implementation for specific use-cases & you may be using  maven-compiler-plugin. It will download Log4j(old version when you don't specify version) as a transitive dependency of maven-compiler-plugin-3.1 (which sometimes upsets vulnerability management teams as they may be running scans on laptops)  but it no longer does with newer version.

If you are using old version you may want to upgrade to latest version.

 

 

 

<pluginManagement>
  <plugins>
    <plugin>
      <groupId>org.apache.maven.plugins</groupId>
      <artifactId>maven-compiler-plugin</artifactId>
      <version>3.11.0</version>
    </plugin>
  </plugins>
</pluginManagement>

 

 

 

Keeping libraries up to date is a good security posture. May be have quarterly update will help keep updated.

Tip: Enable the security plugin's like snyk(https://snyk.io/) etc in IDE or in pipelines to easily track down  during the initial dev cycle.

 

1 1 512
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Good tip, thank you! 

0 Likes