I am trying to remove all the vulnerable log4j dependencies from my maven project.
I am using log4j 2.16 dependency in my pom and have added exclusions for log4j and sl4j in other dependencies.
Still, whenever I run the maven package goal it downloads log4j 1.2.12 jar.
[INFO] Copying 1 resource
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ Test ---
Downloading: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 0.1 KB/sec)
Downloading: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar
Downloaded: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (350 KB at 101.6 KB/sec)
I even ran the mvn dependency:tree command and it only shows log4j 2.16.
What could be the cause for it to download log4j 1.2.12 jar?
TL;DR: this is not a security concern, but if you think it is, upgrade your maven-compiler-plugin.
Maven plugins, i.e. the libraries that perform the actual work in building your project have also dependencies: log4j-1.2.12 is a (transitive) dependency of maven-compiler-plugin-3.1, which your project uses.
You can list your plugin versions and dependencies with:
mvn dependency:resolve-plugins
The fact that Maven downloads log4j does not mean that it will be packaged with your application.
Remark: Version 3.1 of the maven-compiler-plugin is a rather old version. This version is specified in the default lifecycle bindings and for compatibility reasons will never be upgraded. Nevertheless you should specify a newer version in your POM file, e.g.:
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.10.1</version>
</plugin>
</plugins>
</pluginManagement>
</build>
Newer version of maven-compiler-plugin do not have a log4j:log4j dependency.