I am trying to remove all the vulnerable log4j dependencies from my maven project.

I am using log4j 2.16 dependency in my pom and have added exclusions for log4j and sl4j in other dependencies.

Still, whenever I run the maven package goal it downloads log4j 1.2.12 jar.

[INFO] Copying 1 resource
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ Test ---
Downloading: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 0.1 KB/sec)
Downloading: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar
Downloaded: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (350 KB at 101.6 KB/sec)

I even ran the mvn dependency:tree command and it only shows log4j 2.16.

What could be the cause for it to download log4j 1.2.12 jar?

CodePudding user response：

Maven plugins, i.e. the libraries that perform the actual work in building your project have also dependencies: log4j-1.2.12 is a (transitive) dependency of maven-compiler-plugin-3.1, which your project uses.

Therefore the fact that Maven downloads log4j does not mean that it will be packaged with your application.

Remark: Version 3.1 of the maven-compiler-plugin is a rather old version. This version is specified in the default lifecycle bindings and for compatibility reasons will never be upgraded. Nevertheless you should specify a newer version in your POM file, e.g.:

    <build>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-compiler-plugin</artifactId>
                    <version>3.8.1</version>
                </plugin>
            </plugins>
        </pluginManagement>
    </build>