Is checkstyle vulnerable to CVE-20201-44228? #11046

himb1595 · 2021-12-15T07:21:08Z

himb1595
Dec 15, 2021

Hi team,

I just wanted to confirm if checkstyle uses log4j internally and if so which version is it at?

Thanks!

Dec 15, 2021

No, log4j is not used.
You can check it by running mvn dependency:tree
Here is dependencies, no log4j

[INFO] com.puppycrawl.tools:checkstyle:jar:9.3-SNAPSHOT
[INFO] +- com.tngtech.archunit:archunit-junit5:jar:0.22.0:test
[INFO] |  +- com.tngtech.archunit:archunit-junit5-api:jar:0.22.0:test
[INFO] |  |  \- com.tngtech.archunit:archunit:jar:0.22.0:test
[INFO] |  \- com.tngtech.archunit:archunit-junit5-engine:jar:0.22.0:test
[INFO] |     \- com.tngtech.archunit:archunit-junit5-engine-api:jar:0.22.0:test
[INFO] +- info.picocli:picocli:jar:4.6.2:compile
[INFO] +- org.antlr:antlr4-runtime:jar:4.9.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |  +- commons-logg…

View full answer

strkkk · 2021-12-15T07:37:44Z

strkkk
Dec 15, 2021
Collaborator

No, log4j is not used.
You can check it by running mvn dependency:tree
Here is dependencies, no log4j

[INFO] com.puppycrawl.tools:checkstyle:jar:9.3-SNAPSHOT
[INFO] +- com.tngtech.archunit:archunit-junit5:jar:0.22.0:test
[INFO] |  +- com.tngtech.archunit:archunit-junit5-api:jar:0.22.0:test
[INFO] |  |  \- com.tngtech.archunit:archunit:jar:0.22.0:test
[INFO] |  \- com.tngtech.archunit:archunit-junit5-engine:jar:0.22.0:test
[INFO] |     \- com.tngtech.archunit:archunit-junit5-engine-api:jar:0.22.0:test
[INFO] +- info.picocli:picocli:jar:4.6.2:compile
[INFO] +- org.antlr:antlr4-runtime:jar:4.9.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- com.google.guava:guava:jar:31.0.1-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.7.1:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] +- org.apache.ant:ant:jar:1.10.12:provided
[INFO] |  +- org.apache.ant:ant-launcher:jar:1.10.12:provided
[INFO] |  \- com.sun:tools:jar:1.8.0:system
[INFO] +- org.reflections:reflections:jar:0.10.2:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.32:compile
[INFO] +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO] |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO] |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO] |  \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO] +- org.itsallcode:junit5-system-extensions:jar:1.1.0:test
[INFO] +- org.junit-pioneer:junit-pioneer:jar:1.5.0:test
[INFO] |  +- org.junit.jupiter:junit-jupiter-params:jar:5.7.2:test
[INFO] |  \- org.junit.platform:junit-platform-launcher:jar:1.7.2:test
[INFO] +- org.junit.vintage:junit-vintage-engine:jar:5.8.2:test
[INFO] |  \- junit:junit:jar:4.13.2:test
[INFO] +- com.google.truth:truth:jar:1.1.3:test
[INFO] |  +- com.google.auto.value:auto-value-annotations:jar:1.8.1:test
[INFO] |  \- org.ow2.asm:asm:jar:9.1:test
[INFO] +- com.github.stefanbirkner:system-rules:jar:1.19.0:test
[INFO] +- nl.jqno.equalsverifier:equalsverifier:jar:3.8:test
[INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test
[INFO] |  +- org.powermock:powermock-api-support:jar:2.0.9:test
[INFO] |  |  +- org.powermock:powermock-reflect:jar:2.0.9:test
[INFO] |  |  |  +- net.bytebuddy:byte-buddy:jar:1.10.14:test
[INFO] |  |  |  \- net.bytebuddy:byte-buddy-agent:jar:1.10.14:test
[INFO] |  |  \- org.powermock:powermock-core:jar:2.0.9:test
[INFO] |  \- org.mockito:mockito-core:jar:3.3.3:test
[INFO] |     \- org.objenesis:objenesis:jar:2.6:test
[INFO] +- org.javassist:javassist:jar:3.28.0-GA:test
[INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test
[INFO] |  +- org.powermock:powermock-module-junit4-common:jar:2.0.9:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- commons-io:commons-io:jar:2.11.0:test
[INFO] +- org.eclipse.jgit:org.eclipse.jgit:jar:5.13.0.202109080827-r:test
[INFO] |  \- com.googlecode.javaewah:JavaEWAH:jar:1.1.12:test
[INFO] +- org.slf4j:slf4j-simple:jar:1.7.32:test
[INFO] +- org.jacoco:org.jacoco.agent:jar:runtime:0.8.7:test
[INFO] +- de.thetaphi:forbiddenapis:jar:3.2:test
[INFO] \- net.sf.saxon:Saxon-HE:jar:10.6:compile

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Is checkstyle vulnerable to CVE-20201-44228? #11046

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Is checkstyle vulnerable to CVE-20201-44228? #11046

himb1595 Dec 15, 2021

Replies: 1 comment

strkkk Dec 15, 2021 Collaborator

himb1595
Dec 15, 2021

strkkk
Dec 15, 2021
Collaborator