You are viewing a plain text version of this content. The canonical link for it is here.

Posted to github@beam.apache.org by GitBox <gi...@apache.org> on 2021/12/17 16:38:19 UTC

[GitHub] [beam] aaltay commented on pull request #16269: [Proof of Concept / WIP] Use a patched shadow 6.1.0 plugin using Log4j 2.16.0

aaltay commented on pull request #16269:
URL: https://github.com/apache/beam/pull/16269#issuecomment-996861024


   Thank you @kennknowles 
   
   I believe https://github.com/apache/beam/pull/16269 would not the problem with security scanners. They are scanning for the shadow plugin 6.1.0 itself.
   
   > I suppose the thing we need to do is a dry run of the vendored deps to test. But we don't have any reference in our vendor java plugin to this transformer.
   
   I ran `./gradlew shadowJar` but I do not if that is sufficient. How can I do this dry run? Would @lukecwik know?
   
   > Issue your change as a PR to the plugin repo? I expect rolling 6.1.1 release is pretty easy for them.
   
   I wanted to, but they do not have a 6.1.0 branch to issue a PR against. I am hoping that the github issue will be resolved for a much better solution.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org