ctrueden
commented
2 years ago Relevant forum topic: https://forum.image.sc/t/is-imagej-affected-by-cve-2021-44228/60968/6
Open nicost opened 2 years ago
ctrueden
commented
2 years ago Relevant forum topic: https://forum.image.sc/t/is-imagej-affected-by-cve-2021-44228/60968/6
nicost
commented
2 years ago I read that, but why no sciofio release that no longer brings in log4j? We have IT departments scanning computers and may soon run into folks no longer installing Micro-Manager because it includes this dependency. We will exclude it the hard way, but it would be much nicer to hav releases that no longer bring it in.
ctrueden
commented
2 years ago why no sciofio release that no longer brings in log4j?
There is no reason, only time.
ctrueden
commented
2 years ago I have now released the following artifacts:
All of which override their transitive jitk-tps dependency to the latest release, which no longer depends on log4j.
@nicost I am afraid it may not work for you, though, because Micro-Manager does not extend the pom-scijava parent POM, so you are likely to be impacted by a bug/wrinkle in how Maven works when overriding managed version dependencies with properties.
For the next pom-scijava release, 32.0.0, I will try to preemptively bump the versions for all components inheriting the log4j dependency, and release them all again, to avoid the wrinkle. But that release will not happen for another 2-6 weeks. In the meantime, you may just want to depend on jitk-tps 3.0.2, which should result in the log4j dependency being dropped.
When bringing in scifio dependency through ivy, it invariably brings in log4j, which currently is not a good idea. Even when I specify the latest release (0.43.0 as far as I can deduce), log4j appears through dependencies on imagej-common 0.34.1. https://mvnrepository.com/artifact/io.scif/scifio/0.43.0 shows that there are updates (imagej-common 43590c8), but even specifying those does not help as that is not a symver version number. It would be nice if there would be a release that is log4j-free.