Why is Log4j 1.2.16 automatically downloaded during Maven update

Question

I am working on a JAVA Maven project, which is mainly configured using logback with slf4j. I can't see any Log4j dependency in my Maven dependency tree, means Log4j is not transitively coming from any of my pom XML component. I am assuming that, it is coming from some Maven plugins, I am using eclipse editor. I want to remove that vulnerable Log4j component completely as I am using different logging framework. Is there any way to know to resolve this issue, means to stop downloading Log4j during Maven update? Is there any way to know the Library/plugin name which is fetching Log4j. Please help me on this. Thanks in advance!

Regards, Ritesh

Answer 1

• Check Maven Plugin: Some Maven plugins may also bring in Log4j as a dependency. Review the plugins configured in your pom.xml or in your IDE configuration (like Eclipse settings). Look for any plugins related to logging or build processes that might be pulling in Log4j.

Remove or update the plugins accordingly. For example, if you are using Eclipse, check the Eclipse Run Configurations and Maven configurations to ensure there are no unnecessary dependencies.

• Check IDE Integration: Some IDEs have their own way of managing dependencies. In Eclipse, right-click on the project, go to "Properties," and check the "Java Build Path" and "Maven" settings. Ensure that there are no unnecessary dependencies, especially Log4j.

Answer 2

The easiest way to find out exactly which artifacts being downloaded by Maven Plugins is to build against an empty cache $HOME/.m2/repository. But it is not necessary to delete global user cache.

You can create a cache which is local to your project for testing purposes like this:

mvn -B clean verify -Dmaven.repo.local=$(pwd)/.repo >mvn.log 2>&1

The generated log file mvn.log contains the full output during the build which includes the downoaded artifacts of your project or the maven plugins. The file will contain lines like this:

[INFO] --- clean:3.3.2:clean (default-clean) @ dependency-analysis ---
[INFO] Downloading from nexus: http://localhost:8081/nexus/content/groups/public/org/codehaus/plexus/plexus-utils/4.0.0/plexus-utils-4.0.0.pom
[INFO] Downloaded from nexus: http://localhost:8081/nexus/content/groups/public/org/codehaus/plexus/plexus-utils/4.0.0/plexus-utils-4.0.0.pom (8.7 kB at 1.7 MB/s)
[INFO] Downloading from nexus: http://localhost:8081/nexus/content/groups/public/org/codehaus/plexus/plexus/13/plexus-13.pom
[INFO] Downloaded from nexus: http://localhost:8081/nexus/content/groups/public/org/codehaus/plexus/plexus/13/plexus-13.pom (27 kB at 2.7 MB/s)
[INFO] Downloading from nexus: http://localhost:8081/nexus/content/groups/public/org/codehaus/plexus/plexus-utils/4.0.0/plexus-utils-4.0.0.jar
[INFO] Downloaded from nexus: http://localhost:8081/nexus/content/groups/public/org/codehaus/plexus/plexus-utils/4.0.0/plexus-utils-4.0.0.jar (192 kB at 38 MB/s)
[INFO] Deleting /Users/khm/ws-git-soebes/examples/dep-analysis/target

That will show you that the maven-clean-plugin requires a dependency like plexus-utils etc.

Based on such log file you can easily identify which plugin will download particular artifacts.