Details
-
New Feature
-
Resolution: Fixed
-
Normal
-
None
-
None
-
Security Level: Jimmy
-
None
Description
User Story
The underlying log4J library used in Keikai is 1.12.13.
The log4j library is transitively resolved by zpoi /zpoiex.
Need to update zpoi/zpoi ex (maybe use API package as compiled scope only in zpoi, and actual package in test scope if necessary)
Although such a version is NOT affected by the recently discovered security vulnerabilities (CVE-2021-44228 / CVE-2021-45046 / CVE-2021-44832), it is still quite old, so we should evaluate if an upgrade is needed.
IMPORTANT NOTE:
All maven packages can be managed by their project's pom files.
Use maven dependency management features like exclusion or manual declaration to manually choose if your project should load the default log4j, not load any version of log4j, or a different version of log4j
EXCLUSION WITH
<dependency>
<groupId>io.keikai</groupId>
<artifactId>keikai-ex</artifactId>
<version>${keikai.version}</version>
<exclusions>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>
OR
VERSION LOCK WITH
<dependencyManagement>
<dependencies>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.13</version> YOUR PREFERED VERSION HERE
</dependency>
</dependencies>
</dependencyManagement>
Acceptance Criteria
Use the latest Log4J library
Details
Attachments
Issue Links
- relates to
-
-
- Open
-