Closed brampat closed 2 years ago
@brampat Can you tell me where log4j is used as a dependency in the project?
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ matomo-java-tracker ---
[INFO] org.piwik.java.tracking:matomo-java-tracker:jar:1.8-SNAPSHOT
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO] | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | \- commons-codec:commons-codec:jar:1.11:compile
[INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile
[INFO] | \- org.apache.httpcomponents:httpcore-nio:jar:4.4.10:compile
[INFO] +- org.glassfish:javax.json:jar:1.1.4:compile
[INFO] +- org.mockito:mockito-core:jar:3.12.4:test
[INFO] | +- net.bytebuddy:byte-buddy:jar:1.11.13:test
[INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test
[INFO] | \- org.objenesis:objenesis:jar:3.2:test
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] \- javax.xml.bind:jaxb-api:jar:2.3.0:compile
You are correct. My mistake. There are a few dependencies that could be upgraded, but none that have any vulnerabilities.
Log4J 2.11 is vulnerable for these CVE's: CVE-2021-44228(10.0), CVE-2021-45046(9.0) Upgrading to the most recent Log4J version will fix this. Using tools like OWASP Dependency check or Dependabot make it easy to detect and fix these and similar issues. I will create a pull-request if I have time to upgrade this and any other dependencies that are out-dated. Depending on the effectiveness of your test-suite, this should easily fix this.