Issue
I have this log4j-1.2.12.jar file in my jenkins server
Path to it: /data/jenkins/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar
I got this Apache Log4j Unsupported Version Detection message from security team, how to resolve this I tried downloading the latest version but it is something like this log4j-api-2.19.0.jar
Solution
No, it's not "in Jenkins", more accurately, log4j is not a part of Jenkins. Jenkins consumes its jars from the exploded war in ${JENKINS_HOME}/war/WEB-INF/lib. It is not located there.
If a plugin consumes log4j, that would be found within the exploded plugin directory at ${JENKINS_HOME}/plugins/<plugin_name>/WEB-INF/lib. The status of log4j as it related to most plugins was tracked under JENKINS-67353.
What you are referencing is the maven local repository, .m2/repository. This structure is created when running a maven build on the controller; the dependency jars specified in (one of) your build's pom.xml.
The guidance in the comments is correct; find the appropriate pom.xml and update it, then rebuild.
You can verify these claims by deleting the entire .m2 directory (or moving / zip;delete if you are paranoid) and restarting Jenkins. You'll discover Jenkins is running fine and the directory remains empty. Run your maven jobs and it will repopulate, including log4j-1.2.12.jar, assuming it's still specified in your pom.xml. Fix your maven pom.xml, delete the directory, rerun your jobs and it should not reappear.
Perhaps you have already updated your pom.xml but never cleared out your local maven repository, then it will not repopulate (you could check the timestamp of the directory to know when it was first/last downloaded).
You can also delete referenced portions of the repository by specifying mvn dependency:purge-local-repository and adding -DreResolve=false to avoid re-resolving. Of course, if you've already updated the pom.xml, it would remain since it's not referenced in the pom.xml` (yes, it would be nice if there was an option to purge all or most of a repository or all version of a given jar, but ...).
Answered By - Ian W
Answer Checked By - David Marino (JavaFixing Volunteer)
