Yeah you can definitely wipe out this whole tree. I wrote an eternity ago about this:
https://batmat.net/2009/10/09/hudson-how-to-set-a-private-maven-repository-by-job-and-easily-be-able-to-delete-them/ Some of it is a bit old but the principles remain true today: you _should_ even do it on a regular basis. Ideally after and before each job (the modern way to do this kinda automatically is to use things like containers that will by definition start fresh [if some shared maven repository isn't mounted, don't do this]). Cheers Le jeu. 16 déc. 2021 à 23:01, [email protected] <[email protected]> a écrit : > Thanks a ton, great cud to chew on! Now I think I know the culprit and > it's been deprecated. Guessing I can just delete that log4j directory and > be done with it. > > On Thursday, December 16, 2021 at 1:12:28 PM UTC-7 [email protected] > wrote: > >> I would exclude /opt/jenkins/.m2/repository from any scans, as already >> mentioned that is the local maven cache. >> Also if you don't maintain that, it will grow and grow. >> Personally I update build jobs so they each have their own maven cache >> using -Dmaven.repo.local=mvn-repo then delete that after your job >> completes. You might need to tweak some of your process if they depending >> upon one job installing and another job consuming. But the problem with >> that is if you do builds pre branch they could conflict if using the same >> version number. >> >> Or, delete /opt/jenkins/.m2/repository/org/apache/logging/log4j/ and >> rebuild all your projects. As maven will download it again if it still >> needs it. If a pre 2.15.0/2.16.0 version appears, then it means one of your >> jobs still has an older version as a dependency. >> >> >> >> On Thu, 16 Dec 2021 at 18:59, Baptiste Mathus <[email protected]> wrote: >> >>> That's unrelated to Jenkins per se. This directory is the maven cache, >>> also called 'local repository'. >>> >>> My theory is that you have a job or more that uses maven with default >>> values. I suspect you even run these on the controller itself... >>> >>> Some of your job(s) build(s) a software of yours that depends on a >>> vulnerable version of log4j. >>> >>> >>> >>> >>> Le jeu. 16 déc. 2021 à 19:15, [email protected] <[email protected]> a >>> écrit : >>> >>>> Hi all. Getting popped by our security team for an old version of >>>> log4j. I've checked and we don't have any of the plugins installed >>>> identified by the following issue: >>>> >>>> https://issues.jenkins.io/browse/JENKINS-67353 >>>> >>>> Here's the info from the scan: >>>> >>>> Plugin Output: >>>> Path : >>>> /opt/jenkins/.m2/repository/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.pom.sha1 >>>> Installed version : 2.14.1 >>>> Fixed version : 2.15.0 >>>> >>>> Anyone have a clue on how I go about upgrading this? >>>> >>>> Thanks, >>>> Eric >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Jenkins Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/jenkinsci-users/0e0194bf-3090-43e1-92d2-be3789365ae5n%40googlegroups.com >>>> <https://groups.google.com/d/msgid/jenkinsci-users/0e0194bf-3090-43e1-92d2-be3789365ae5n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-users/CANWgJS7PpCx6a9J__vv7G-oYC0ssUbZbW%2Ba8_bWsS0_Na-6dyw%40mail.gmail.com >>> <https://groups.google.com/d/msgid/jenkinsci-users/CANWgJS7PpCx6a9J__vv7G-oYC0ssUbZbW%2Ba8_bWsS0_Na-6dyw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/6147a143-256b-4f71-9b42-081744fc6bb8n%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-users/6147a143-256b-4f71-9b42-081744fc6bb8n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CANWgJS4UAMo23wZQkB%3DYFjGNChw55Jiy-zgn5--D0S%3DoGPoMEg%40mail.gmail.com.
