Details
-
Task
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
3.4.0
-
Reviewed
Description
Currently we are using maven-compiler-plugin 3.1 version, which is quite old (2013) and it's also pulling in vulnerable log4j dependency:
[INFO] org.apache.maven.plugins:maven-compiler-plugin:maven-plugin:3.1:runtime [INFO] org.apache.maven.plugins:maven-compiler-plugin:jar:3.1 [INFO] org.apache.maven:maven-plugin-api:jar:2.0.9 [INFO] org.apache.maven:maven-artifact:jar:2.0.9 [INFO] org.codehaus.plexus:plexus-utils:jar:1.5.1 [INFO] org.apache.maven:maven-core:jar:2.0.9 [INFO] org.apache.maven:maven-settings:jar:2.0.9 [INFO] org.apache.maven:maven-plugin-parameter-documenter:jar:2.0.9 ... ... ... [INFO] log4j:log4j:jar:1.2.12 [INFO] commons-logging:commons-logging-api:jar:1.1 [INFO] com.google.collections:google-collections:jar:1.0 [INFO] junit:junit:jar:3.8.2
We should upgrade to 3.10.1 (latest Mar, 2022) version of maven-compiler-plugin.
Attachments
Issue Links
- links to