From ac87977c19bb2ee2564d15fa87f255d621a4706d Mon Sep 17 00:00:00 2001
From: Juraj Veverka <juraj.veverka@globallogic.com>
Date: Thu, 3 Mar 2022 13:06:00 +0100
Subject: [PATCH] documentation improved

---
 README.md | 8 ++++++++
 pom.xml   | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/README.md b/README.md
index 2cc1212..2b47cca 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,7 @@ which shows log4j 1.2.12 dependency.
 This obsolete version of log4j is not part of runtime, but is found by security scan tools in the local maven cache. 
 
 ### Reproduce the problem
+* compile the project with clean maven cache.
 ```
 rm -rf ~/.m2/repository/*
 git clone https://github.com/jveverka/mvn-dependency-log4j.git
@@ -20,6 +21,13 @@ mvn clean install
 ls -la ~/.m2/repository/log4j/log4j/
 # log4j 1.2.12 is downloaded by maven dependency plugin
 ```
+* remove maven maven-dependency-plugin from [pom.xml](pom.xml) and compile the project with clean maven cache. 
+```
+rm -rf ~/.m2/repository/*
+mvn clean install
+ls -la ~/.m2/repository/log4j/log4j/
+# log4j 1.2.12 is NOT downloaded by maven dependency plugin
+```
 
 ### Expected behaviour
 ``mvn clean install`` does not cause download of ``log4j:log4j:1.2.12`` into local ``~/.m2/repository`` maven cache.
diff --git a/pom.xml b/pom.xml
index 929e86d..c5f2131 100644
--- a/pom.xml
+++ b/pom.xml
@@ -34,11 +34,13 @@
 
     <build>
         <plugins>
+
             <plugin>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-maven-plugin</artifactId>
             </plugin>
 
+            <!-- remove maven-dependency-plugin in order to remove log4j dependency -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-dependency-plugin</artifactId>