This change removes aws-lambda-java-log4j v1.0.1 as it contains CVE-2022-23305, with no fix outside of a wholesale update. This change does not update all dependencies, just fixes the vuln.
How to test
I reinstated the unit test so as to ensure no runtime errors doing the logging. It required me to default the code to use the DEV environment name, and I had to create a DEV config file in S3 which looked like this:
apiClientId = foo
apiToken = bar
salesforceOrganizationId = someOrganizationId
How can we measure success?
I've deployed this in CODE and tested a request via the API Gateway. The CloudWatch logs look identical:
Have we considered potential risks?
No Salesforce updates get synced to Identity or Zuora.
What does this change?
This change removes aws-lambda-java-log4j v1.0.1 as it contains CVE-2022-23305, with no fix outside of a wholesale update. This change does not update all dependencies, just fixes the vuln.
How to test
I reinstated the unit test so as to ensure no runtime errors doing the logging. It required me to default the code to use the DEV environment name, and I had to create a DEV config file in S3 which looked like this:
How can we measure success?
I've deployed this in CODE and tested a request via the API Gateway. The CloudWatch logs look identical:
Have we considered potential risks?
No Salesforce updates get synced to Identity or Zuora.