Open spyhunter99 opened 2 years ago
Sorry for the delay @spyhunter99 . The log4j dependencies should be marked as optional so it won't be used unless you provide it. Is that not what you are seeing?
looks like that was cleared up. It's also complaining about this one
| CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') -- | -- [CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](https://ossindex.sonatype.org/vulnerability/a9c81f11-d02c-4b45-b55f-0eedd1786272?component-type=maven&component-name=com.j256.ormlite.ormlite-android&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0)
Hi i was attempting to publish a library that uses this library as a dependency. oss.sonatype.org send me a "lift" report that flagged this library as having a few security related issues. It looks like it's related to log4j 1.x.
Seeing this in the root pom
As a user of the library, can we exclude the log4j dependency and have the library still be functional? Alternatively, is there a plan to use some other logging library or a newer version?