matthewhorridge
commented
2 years ago I need to double check this but I believe we are okay because we use logbook and slf4j at runtime. The runtime doesn't contain log4j.
Open nenadkrdzavac opened 2 years ago
matthewhorridge
commented
2 years ago I need to double check this but I believe we are okay because we use logbook and slf4j at runtime. The runtime doesn't contain log4j.
A webprotege-maven-pluin 1.1 depends on log4j 1.2.12 that may cause security risk in using webprotege tool. The webprotege-maven-pluin 1.1 library depends on velocity 1.7 that depends on log4j, version 1.2.12. The Log4j, version 1.2.12 is stored in .m2 folder when we build the webprotege project.
There are other libraries available in webprotege project such as _logback-classic , version 1.2.3_, that has log4j 1.2.17 as test dependency
More about Apache Log4j vulnerability can be found on website: https://www.csoonline.com/article/3644472/apache-log4j-vulnerability-actively-exploited-impacting-millions-of-java-based-apps.html