j256
commented
2 years ago Sorry for the delay @spyhunter99 . The log4j dependencies should be marked as optional so it won't be used unless you provide it. Is that not what you are seeing?
Open spyhunter99 opened 2 years ago
j256
commented
2 years ago Sorry for the delay @spyhunter99 . The log4j dependencies should be marked as optional so it won't be used unless you provide it. Is that not what you are seeing?
spyhunter99
commented
2 years ago looks like that was cleared up. It's also complaining about this one
| CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') -- | -- [CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](https://ossindex.sonatype.org/vulnerability/a9c81f11-d02c-4b45-b55f-0eedd1786272?component-type=maven&component-name=com.j256.ormlite.ormlite-android&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0)
Hi i was attempting to publish a library that uses this library as a dependency. oss.sonatype.org send me a "lift" report that flagged this library as having a few security related issues. It looks like it's related to log4j 1.x.
Seeing this in the root pom
As a user of the library, can we exclude the log4j dependency and have the library still be functional? Alternatively, is there a plan to use some other logging library or a newer version?