我正试图从maven项目中删除所有易受攻击的log4j依赖项。
我在pom中使用log4j 2.16依赖项,并在其他依赖项中添加了log4j和sl4j的排除项。
不过,每当我运行maven包目标时,它都会下载log4j1.2.12jar。
[INFO] Copying 1 resource
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ Test ---
Downloading: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 0.1 KB/sec)
Downloading: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar
Downloaded: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (350 KB at 101.6 KB/sec)
我甚至运行了mvn dependency:tree
命令,它只显示log4j2.16。
联系客服