search

SAP / cf-java-logging-support

The Java Logging Support for Cloud Foundry supports the creation of structured log messages and the collection of request metrics
Apache License 2.0
77 stars 48 forks source link

[Question] High operational risk for apache commons lang #151

Closed hollomyfoolish closed 1 year ago

hollomyfoolish commented 1 year ago

There is a dependency "Apache Commons Lang" in cf-java-logging-support, I noticed that the latest Apache Commons Lang was released on Mar 02, 2021 having high operational risk, is there a plan for this security issue? Thanks.

KarstenSchnitter commented 1 year ago

Thank you for reaching out.

The dependency org.apache.commons:commons-lang3 provides the Interface ConcurrentInitializer which is part of the public API of cf-java-logging-support-servlet in DynamicLogLevelFilter. Therefore, it cannot be removed without losing backwards compatibility. There are four more usages of StringUtils.isNotBlank, that could be removed.

Currently version 3.6 is used which should be replaced by 3.12.0. However, I found no CVEs listed for either version. Can you provide more information on the risk you see. So far I understand, that only the release date of the last version flags this library in your security scans. Since you are giving the release date of 3.12.0 as reference, I guess upgrading version 3.6 to 3.12.0 will not improve your situation. Is this assumption correct?

Btw, following https://github.com/apache/commons-lang and the issue tracker linked on the README.md, there still is ongoing activity in that project. I would still consider it as maintained by the community and safe for use. Can you provide more information, why you think, that dependency should be removed from cf-java-logging support?

hollomyfoolish commented 1 year ago

Hi @KarstenSchnitter , Thanks for your quick reply and clarification, firstly you're right even upgrade to 3.12.0 will not improve my situation, and you are also right that currently there is no CVEs for the latest org.apache.commons:commons-lang3. I ask this question just because there is a security standard in my company saying that if there is no new release in latest 12 months, then this library will be marked as high operational risk. I am not asking you to remove this dependency, actually I am totally OK you keep it because there is no CEVs any way. I just want to know if you will consider the case if one dependency doesn't release new version for a long time.

KarstenSchnitter commented 1 year ago

Generally, we are very cautiously choosing the dependencies for this library. We want to limit its footprint as much as possible. This includes removing outdated or unmaintained libraries.

I will update the commons-lang3 version to the most current version. Furthermore, I will remove it entirely from the cf-java-logging-support-core module, so that is only used in cf-java-logging-support-servlet. I keep this issue open until this change is merged.

hollomyfoolish commented 1 year ago

Hi @KarstenSchnitter Thanks for the answer.