You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by GitBox <gi...@apache.org> on 2022/04/20 09:45:39 UTC

[GitHub] [zeppelin] jongyoul commented on a diff in pull request #4286: [ZEPPELIN-5613] zeppelin-interpreter-parent: Add dependencyManagement for log4j2 in pom.xml

jongyoul commented on code in PR #4286:
URL: https://github.com/apache/zeppelin/pull/4286#discussion_r853942778


##########
zeppelin-interpreter-parent/pom.xml:
##########
@@ -33,6 +33,35 @@
   <version>0.9.0-SNAPSHOT</version>
   <name>Zeppelin: Interpreter Parent</name>
 
+  <properties>
+    <log4j2.version>2.17.1</log4j2.version>
+  </properties>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-1.2-api</artifactId>

Review Comment:
   In my understanding, Log4j1 has a potential security issue but Zeppelin doesn't use the methods which are known issues. Of course, I agree with you but we might need to investigate other components including old versions of Spark and Flink. So this PR looks fine still and let's discuss the security issues in another channel



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org