Hello Team,
We have customized plugins where it is used some of dependencies of log4j vulnerable versions. These are atlassian maven artifacts.
The dependency details
<groupId>com.atlassian.maven.plugins</groupId>
<artifactId>maven-bamboo-plugin</artifactId>
<version>${amps.version}</version> # amps.version: 1000.0.8-log4j2
<extensions>true</extensions>
<dependency>
<groupId>com.atlassian.bamboo</groupId>
<artifactId>atlassian-bamboo-web</artifactId>
<version>${bamboo.version}</version> # bamboo.version: 6.1.4
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.atlassian.bamboo</groupId>
<artifactId>atlassian-bamboo-api</artifactId>
<version>${bamboo.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.atlassian.bamboo</groupId>
<artifactId>atlassian-bamboo-deployments</artifactId>
<version>${bamboo.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.atlassian.plugins.rest</groupId>
<artifactId>atlassian-rest-common</artifactId>
<version>1.0.2</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.atlassian.sal</groupId>
<artifactId>sal-api</artifactId>
<version>2.6.0</version>
<scope>provided</scope>
</dependency>
I couldn't figure it out which exact plugin dependency that actually pulling older version of log4j core lib. Right now, it is pulling log4j core 2.13* jar. If some can help me on finding the right artifacts that would be great!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.