You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Ralph Goers (Jira)" <ji...@apache.org> on 2020/12/30 15:54:00 UTC
[jira] [Resolved] (LOG4J2-2987) Snyk reports vulnerability for
log4j-to-slf4j caused by junit transitive depedency
[ https://issues.apache.org/jira/browse/LOG4J2-2987?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ralph Goers resolved LOG4J2-2987.
---------------------------------
Resolution: Not A Problem
> Snyk reports vulnerability for log4j-to-slf4j caused by junit transitive depedency
> ----------------------------------------------------------------------------------
>
> Key: LOG4J2-2987
> URL: https://issues.apache.org/jira/browse/LOG4J2-2987
> Project: Log4j 2
> Issue Type: Improvement
> Components: SLF4J Bridge
> Affects Versions: 2.14.0
> Reporter: Hakan Altindag
> Priority: Minor
> Attachments: image-2020-12-30-11-44-03-287.png
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> I am using log4j-to-slf4j bridge for my own library. During the regular vulnerability scan it reported that it has a vulnerability caused by a transitive dependency from log4j-api which has a compile scoped dependency of org.junit.jupiter:junit-jupiter-migrationsupport.
> See here for a screenshot:
> !image-2020-12-30-11-44-03-287.png!
> See here for the report: [https://app.snyk.io/org/hakky54/project/667055da-a0a4-461f-a169-e88bd2f94ce1]
>
> This issue can fixed when adding the test scope to the dependency in the following file: https://github.com/apache/logging-log4j2/blob/master/log4j-api/pom.xml
> I am not familiar with the code base, so I was not sure if someone did not put a test scope on purpose... But looking at the other dependencies the following could also by marked as test scope: junit-vintage-engine, junit-jupiter-migrationsupport, junit-jupiter-params, junit-jupiter-engine, assertj-core
--
This message was sent by Atlassian Jira
(v8.3.4#803005)