Maven command mvn javadoc:jar downloads log4j-1.2.12

Question

When executing the Maven command mvn javadoc:jar, it downloads log4j-1.2.12.jar, which contains vulnerabilities. The projects in scope do not have any dependency on log4j, nor do we have a plugin to generate JavaDocs.

Our Maven version is 3.6.0.

Any suggestions on how to proceed to get rid of the log4j?

Answer 1

To resolve a project's or plugin's dependencies Maven:

1. Creates a huge graph with all dependencies and transitive dependencies. To do this it must recursively download the POM files of each of them,
2. Chooses the dependencies that it will use. Log4j 1.x is not part of them,
3. Uses those dependencies at runtime.

In your case log4j:log4j:1.2.12 gets to phase one, but the JAR is not downloaded and not used.

Remark: The vulnerabilities of Log4j 1.x are very peripheral and difficult to trigger. Even if Log4j 1.x was used in your build, you'll need to provide a very specific configuration (e.g. log to a database) to be vulnerable.

In maven-javadoc-plugin there are vulnerable dependencies that have a bigger chance of being used, e.g. the dependencies of doxia-site-renderer. Obviously without further inspection there is not way to tell if they apply to the plugin.