New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect Log4J 1.x to Log 2.x #11264
Conversation
Removes flag by Whitesource vulnerability scanner
Alternate approach: #11265 |
@NiteshKant @chrisvest thoughts ? |
Also /cc @trustin |
How about this one + adding Log4J2 internal logger implementation? |
@trustin we already have one ;) |
Haha, then +1 for just accepting this one 😅 |
I would think that the reason we have a log4j 1.2 integration is to support deployments that wish to use log4j 1.2 for logging, the API we use to do that is an implementation detail. I couldn't find the original CVE (oh wait, here it is), but it sounds like all versions of log4j 1.2 are vulnerable, which means the ideal solution - upgrading to a non-vulnerable version - isn't possible. So it sounds like we are dropping log4j 1.2 support entirely (btw. log4j 1.2 was declared EOL in 2015). In that case, instead of using this bridge API, we could make |
@chrisvest so like this #11265 ? |
Removing libraries that have been EOL for more than half a decade sounds reasonable. Any idea how many projects downstream would get into trouble doing that? |
@normanmaurer Yeah, added a comment on that one. I don't know how much trouble it would cause for downstream to remove log4j 1.2. As far as I can tell, both solutions effectively do that, though. |
@chrisvest i think this Solution will still work for people that had put log4j 1.2 on there classpath as there are no class changes |
@normanmaurer Because you'd have the real log4 1.2 on the class path at runtime instead of the bridge API? I suppose if people to it like that and make sure to not depend on the bridge. Ok. |
@chrisvest exactly.. as the our dependency is marked as optional I think this should work. |
@Stwissel can you please sign our ICLA: https://netty.io/s/icla and let me know once done ? |
@normanmaurer - signed |
@Stwissel thanks a lot! |
Removes flag by Whitesource vulnerability scanner Motivation: WhiteSource vulnerability scan flags the Log4J 1.x stream as vulnerable. Modification: Replaced reference to `log4j` with `log4j-1.2-api` Ran `mvn test` (on a Mac) successfully Result: Fixes #11263
Removes flag by Whitesource vulnerability scanner Motivation: WhiteSource vulnerability scan flags the Log4J 1.x stream as vulnerable. Modification: Replaced reference to `log4j` with `log4j-1.2-api` Ran `mvn test` (on a Mac) successfully Result: Fixes netty#11263
Removes flag by Whitesource vulnerability scanner
Motivation:
WhiteSource vulnerability scan flags the Log4J 1.x stream as vulnerable.
Modification:
Replaced reference to
log4j
withlog4j-1.2-api
Ran
mvn test
(on a Mac) successfullyResult:
Fixes #11263