Apache Log4j Security Vulnerabilities
apb-kawaguchi-kazuki opened this issue · 3 comments
i want to know about necessity of update this library version update.
found log4j version v2.14.1 for this library.
this version is under vulnerabilities.
but it only use in jvmTest.
https://github.com/MicroUtils/kotlin-logging/blob/master/build.gradle.kts
I'm sorry, but i cant judge necessity of this Vulnerability affects for service.
sorry for my poor English.
▼official
https://logging.apache.org/log4j/2.x/security.html
Thank you for reporting an issue. See the wiki for documentation and slack for questions.
fixed in #207 - and anyway since this is just used in tests, there isn't a real risk for users.
Some more background on the issue, copied from #207.
kotlin-logging
is a facade (similar to slf4j) means it only wraps the implementation you choose as a logging framework.
Popular implementations are logback and log4j.
On the tests of kotlin-logging we needed an actual implementation to use. We could write our own mocks but it makes more sense to take an actual impl for that to reflect how users use the lib. So kotlin-logging depends on log4j for testing only.
Example of such tests can be seen here.
You can see the dependency here:
It means that this dependency does not pass transitively to users of kotlin-logging, and therfore users don't need to upgrade kotlin-logging itself. You can also see that in the pom that is generated for kotlin-logging.
For people to feel more safe and for our own safety (when running tests) we upgraded kotlin-logging dependency on log4j.
So it's not really needed, but I will not stop you from upgrading.
Hope that clears things a bit more.