Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A maven enforcer plugin rule in order to avoid having a vulnerable jog4j versions through a transient dependency
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<id>block-vulnerable-log4j-versions</id>
<phase>validate</phase>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude>
</excludes>
</bannedDependencies>
</rules>
<fail>true</fail>
</configuration>
</execution>
</executions>
</plugin>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment