Uploaded image for project: 'ZK Pivottable'
  1. ZK Pivottable
  2. ZKPVT-97

update poi Log4J to latest

XMLWordPrintable

    • Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 2.5.2
    • None
    • Security Level: Jimmy
    • None

      User Story

      The underlying log4J library used in ZK pivottable is 1.12.13.

      The log4j library is transitively resolved by zpoi.

      Need to update zpoi/zpoi ex (maybe use API package as compiled scope only in zpoi, and actual package in test scope if necessary)

      Although such a version is NOT affected by the recently discovered security vulnerabilities (CVE-2021-44228 / CVE-2021-45046 / CVE-2021-44832), it is still quite old, so we should evaluate if an upgrade is needed.

       

      IMPORTANT NOTE:

      All maven packages can be managed by their project's pom files.

      Use maven dependency management features like exclusion or manual declaration to manually choose if your project should load the default log4j, not load any version of log4j, or a different version of log4j

       

                     EXCLUSION WITH
		<dependency>
			<groupId>io.keikai</groupId>
			<artifactId>keikai-ex</artifactId>
			<version>${keikai.version}</version>
			<exclusions>
				<exclusion>
					<groupId>log4j</groupId>
					<artifactId>log4j</artifactId>
				</exclusion>
			</exclusions>
		</dependency>

OR
        VERSION LOCK WITH
	<dependencyManagement>
		<dependencies>
			<dependency>
				<groupId>log4j</groupId>
				<artifactId>log4j</artifactId>
				<version>1.2.13</version> YOUR PREFERED VERSION HERE
			</dependency>
		</dependencies>
	</dependencyManagement>

      Acceptance Criteria

      Use the latest Log4J library

      Details

       

            Unassigned Unassigned
            MDuchemin MDuchemin
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: