On Wed, Jun 26, 2024 at 1:36 AM Nils Breunese <n...@breun.nl> wrote:
> Robert Turner <rtur...@e-djuster.ca.invalid> wrote: > > > The "problem" is not that the old log4j gets copied to the output folder, > > it's that it is fetched into the local Maven cache / repository, which is > > then picked up by security tooling (which of course complains that it is > > ancient and has vulnerabilities). > > There is no guarantee that the artifacts in the local Maven repository are > actually executed or part of the result of your build. I don’t know if it’s > an option to change the scanning strategy in your situation, but I would > suggest executing builds in a CI environment that doesn’t provide access to > the public internet (use a repository manager like Artifactory or Nexus and > have it proxy any public repositories you need, like Maven Central), > optionally scanning build artifacts before they get deployed, and > definitely scanning deployed artifacts periodically, because > vulnerabilities can get discovered after deployment time. I wouldn’t then > worry about the contents of the local Maven repository after a build so > much anymore. > > Nils. > > Yeah, those are options of course -- I was hoping to avoid making lots of changes to the environment if possible (lots of work of course). Thanks for the suggestions.
