Using SBT version which has log4j vulnerability fixed

Question

Using SBT version which has log4j vulnerability fixed

vikasdp opened this issue 3 years ago · 13 comments

couldn't find bloop version that uses SBT version which has log4j vulnerability fixed in it. is there going to be a new bloop version available which addresses this?

Answer 1 · 2022-01-17T17:42:54.000Z

Thanks for reporting! The bloop plugin can be used with the later versions of SBT. We haven't managed to update Bloop repo itself to 1.6.0 due to some incompatibilities. This should not cause any issues however, since we do not accept any user input or run jobs in prs from unknown contributors .

Please correct me if I am wrong.

Answer 2 · 2022-01-17T18:55:48.000Z

thanks @tgodzik for the response. may be I missed something but through Metals Metals we using bloop - do you know where/how we can configure bloop (again we use bloop only via metals plugin) use later version of SBT (which has log4j vulnerability fixed) ?

Answer 3 · 2022-01-17T20:32:28.000Z

Bloop itself doesn't use sbt. The bloop plugin is only used to export configuration files that can later be used to compile the project.

Answer 4 · 2022-02-24T22:11:07.000Z

So is this a Bloop issue or the Metals plugin issue that is responsible for introducing the vulnerable version of log4j (2.8.1)?

This breaks Metals entirely for me as I am behind an Artifactory proxy repo that disallows vulnerable versions of Log4j to be downloaded.

Answer 5 · 2022-02-25T07:30:23.000Z

This is a Bloop issue, could you try setting Bloop 1.4.13? The log4j version should be updated in #1667

Answer 6 · 2022-02-25T18:18:03.000Z

where is the configuration in metals to change bloop version? do you need to download bloop separately to use a diff bloop version from metals than the one metals uses by default?

Answer 7 · 2022-02-25T18:43:13.000Z

@vikasdp See this comment, scalameta/metals-vscode#900 (comment)

Answer 8 · 2022-02-25T19:30:39.000Z

thanks @scottweaver - unfortunately no SNAPSHOT versions are allowed to download behind company proxy. so pre-release version isn't an option for us.

Answer 9 · 2022-02-25T19:37:44.000Z

The other work around is to switch to using SBT instead of Bloop in Metals.
> Metals: Switch build server and select SBT.

Answer 10 · 2022-02-25T20:00:25.000Z

We will also be doing a new release next week, so this should be available by default.

Answer 11 · 2022-03-01T13:44:22.000Z

Bloop now uses sbt 1.6.2 with fixed log4j vulnerability.

Answer 12 · 2022-03-03T16:21:19.000Z

@tgodzik - will there be a release version available soon with all the fixes here? https://github.com/scalameta/metals-vscode/releases - can see 1.12.28 is a pre-release version. where I am(behind corporate proxies) no pre-release versions are available/allowed to install.

Answer 13 · 2022-03-03T16:22:36.000Z

I will try to release next week.