How to prevent Maven project from downloading specific dependencies?

Question

I wanted to remove all direct / transitive dependencies using older log4J version, particularly version 1.27.1 from my project.

I have made sure that my project's pom.xml and lib folder does not contain log4J 1.27.1.

However, whenever the project builds into a .war file, there are some other libraries in my project which is still using log4j 1.27.1 resulting in log4j-1.27.1.jar being downloaded into the build for deployment.

Is there any means we can force the Maven project by preventing it from downloading a specific dependency? For example, by adding some configurations to the pom.xml file?

---

Edit 1: Understand that one way to do it is to do exclusions in the pom.xml file. But that requires me to explicitly mention all the artifacts . Is there anyway to do it as though I am stating "hey, I don't want to see log4j-1.27.1.jar downloaded in my Maven project at all, be it any artifact is depending on it" ?

Answer 1

Use the enforcer plugin to ban all unsecure log4j versions. Any use will fail your build and tell you where it's being used, allowing you to overwrite the log4j dependency with a secure version or exclude it altogether.

From Gunnar Morling's gist (warning: update the log4j minimum version here to the log4j version with no vulnerabilities reported):

<!-- plug-in configuration to put into your parent POM for avoiding any usages of
     outdated log4j2 versions, some of which are subject to the RCE CVE-2021-44228
     ("Log4Shell"), CVE-2021-45046, and CVE-2021-45105. Make sure to check for the
     latest version of log4j2 at
     https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
...
<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-enforcer-plugin</artifactId>
  <version>3.0.0</version>
  <executions>
    <execution>
      <id>ban-bad-log4j-versions</id>
      <phase>validate</phase>
      <goals>
        <goal>enforce</goal>
      </goals>
      <configuration>
        <rules>
          <bannedDependencies>
            <excludes>
              <exclude>org.apache.logging.log4j:log4j-core:(,2.17.0)</exclude>
            </excludes>
          </bannedDependencies>
        </rules>
        <fail>true</fail>
      </configuration>
    </execution>
  </executions>
</plugin>