Thanks, deleted it for short term solution and looking into the "Even Better" solution at your link. Much appreciated!
On Friday, December 17, 2021 at 4:12:50 AM UTC-7 [email protected] wrote: > Yeah you can definitely wipe out this whole tree. > > I wrote an eternity ago about this: > > > https://batmat.net/2009/10/09/hudson-how-to-set-a-private-maven-repository-by-job-and-easily-be-able-to-delete-them/ > > Some of it is a bit old but the principles remain true today: you _should_ > even do it on a regular basis. Ideally after and before each job (the > modern way to do this kinda automatically is to use things like containers > that will by definition start fresh [if some shared maven repository isn't > mounted, don't do this]). > > Cheers > > Le jeu. 16 déc. 2021 à 23:01, [email protected] <[email protected]> a > écrit : > >> Thanks a ton, great cud to chew on! Now I think I know the culprit and >> it's been deprecated. Guessing I can just delete that log4j directory and >> be done with it. >> >> On Thursday, December 16, 2021 at 1:12:28 PM UTC-7 [email protected] >> wrote: >> >>> I would exclude /opt/jenkins/.m2/repository from any scans, as already >>> mentioned that is the local maven cache. >>> Also if you don't maintain that, it will grow and grow. >>> Personally I update build jobs so they each have their own maven cache >>> using -Dmaven.repo.local=mvn-repo then delete that after your job >>> completes. You might need to tweak some of your process if they depending >>> upon one job installing and another job consuming. But the problem with >>> that is if you do builds pre branch they could conflict if using the same >>> version number. >>> >>> Or, delete /opt/jenkins/.m2/repository/org/apache/logging/log4j/ and >>> rebuild all your projects. As maven will download it again if it still >>> needs it. If a pre 2.15.0/2.16.0 version appears, then it means one of your >>> jobs still has an older version as a dependency. >>> >>> >>> >>> On Thu, 16 Dec 2021 at 18:59, Baptiste Mathus <[email protected]> wrote: >>> >>>> That's unrelated to Jenkins per se. This directory is the maven cache, >>>> also called 'local repository'. >>>> >>>> My theory is that you have a job or more that uses maven with default >>>> values. I suspect you even run these on the controller itself... >>>> >>>> Some of your job(s) build(s) a software of yours that depends on a >>>> vulnerable version of log4j. >>>> >>>> >>>> >>>> >>>> Le jeu. 16 déc. 2021 à 19:15, [email protected] <[email protected]> >>>> a écrit : >>>> >>>>> Hi all. Getting popped by our security team for an old version of >>>>> log4j. I've checked and we don't have any of the plugins installed >>>>> identified by the following issue: >>>>> >>>>> https://issues.jenkins.io/browse/JENKINS-67353 >>>>> >>>>> Here's the info from the scan: >>>>> >>>>> Plugin Output: >>>>> Path : >>>>> /opt/jenkins/.m2/repository/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.pom.sha1 >>>>> Installed version : 2.14.1 >>>>> Fixed version : 2.15.0 >>>>> >>>>> Anyone have a clue on how I go about upgrading this? >>>>> >>>>> Thanks, >>>>> Eric >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Jenkins Users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/jenkinsci-users/0e0194bf-3090-43e1-92d2-be3789365ae5n%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/jenkinsci-users/0e0194bf-3090-43e1-92d2-be3789365ae5n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Jenkins Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/jenkinsci-users/CANWgJS7PpCx6a9J__vv7G-oYC0ssUbZbW%2Ba8_bWsS0_Na-6dyw%40mail.gmail.com >>>> >>>> <https://groups.google.com/d/msgid/jenkinsci-users/CANWgJS7PpCx6a9J__vv7G-oYC0ssUbZbW%2Ba8_bWsS0_Na-6dyw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/6147a143-256b-4f71-9b42-081744fc6bb8n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jenkinsci-users/6147a143-256b-4f71-9b42-081744fc6bb8n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/0a8b077c-c3ae-4111-bcbb-c14db3146798n%40googlegroups.com.
