search

jenkinsci / allure-plugin

Allure Jenkins Plugin
https://plugins.jenkins.io/allure-jenkins-plugin/
Other
84 stars 63 forks source link

Upgrade log4j #301

Closed haocheng closed 2 years ago

haocheng commented 2 years ago

What feature do you want to see added?

It seems that the latest version of allure Jenkins plugin is still using vulnerable log4j 1.2.9. Is it possible to upgrade log4j to fix the security vulnerability? Thank you!

> ./gradlew clean dependencies | grep log4j                                            
     |    \--- log4j:log4j:1.2.9
     +--- org.slf4j:log4j-over-slf4j:1.7.7
|    +--- org.slf4j:log4j-over-slf4j:1.7.7
|    |    \--- log4j:log4j:1.2.9
|    +--- org.slf4j:log4j-over-slf4j:1.7.7
|    |    |    \--- log4j:log4j:1.2.9
|    |    +--- org.slf4j:log4j-over-slf4j:1.7.7
     |    |    \--- log4j:log4j:1.2.9
     |    +--- org.slf4j:log4j-over-slf4j:1.7.7
|    |    |    \--- log4j:log4j:1.2.9
|    |    +--- org.slf4j:log4j-over-slf4j:1.7.7
|    |    \--- log4j:log4j:1.2.9
|    +--- org.slf4j:log4j-over-slf4j:1.7.7
|    |    \--- log4j:log4j:1.2.9
|    +--- org.slf4j:log4j-over-slf4j:1.7.7
|    |    \--- log4j:log4j:1.2.9
|    +--- org.slf4j:log4j-over-slf4j:1.7.7
|    +--- org.slf4j:log4j-over-slf4j:1.7.7
|    |    \--- log4j:log4j:1.2.9
|    +--- org.slf4j:log4j-over-slf4j:1.7.7

Upstream changes

No response

DrMarkDunne commented 2 years ago

Hey guys,

This security vulnerability is an issue for my team too, any timeline on a potential fix for this.

Thanks in advance. Mark