Migrate from Log4j v1.2 due to vulnerabilities in this library. Move to SLF4J 1.7.x.

openclover / clover

This repository contains source code of OpenClover Core as well as its integrations: Clover-for-Ant, Clover-for-Eclipse and Clover-for-IDEA plugins. Sources are licensed under Apache 2.0 license.

Other

63 stars 16 forks source link

Migrate from Log4j v1.2 due to vulnerabilities in this library. Move to SLF4J 1.7.x. #165

Closed abuSayedMohammad closed 2 years ago

abuSayedMohammad commented 2 years ago

The latest version of openclover(v4.4.1) is using log4j v1.2.17. We have got below vulnerability in this log4j version:

CVE-2022-23305
CVE-2022-23307
CVE-2019-17571

Can you please update to latest version of log4j v2.x.x

marek-parfianowicz commented 2 years ago

This PR requires a rework. We can't use log4j 2.17.2, because OpenClover still supports JDK7. A safe version supporting this Java version is 2.12.4. Furthermore, code change are required, such as update of repacked libraries, license information etc.

marek-parfianowicz commented 2 years ago

I decided to migrate from Log4j 1.2 to SLF4J instead of Log4j 2.x.

One of the reasons is that the usage of Log4J was minimal in the code (only as a supplementary logger for recorder module). Another reason is that SLF4J is a very small facade, which allows to plug in practically any logging framework (java logging, logback, log4j 1 & 2).

This means the Clover will detach from Log4J dependency and its vulnerabilities.