search

seancorfield / next-jdbc

A modern low-level Clojure wrapper for JDBC-based access to databases.
https://cljdoc.org/d/com.github.seancorfield/next.jdbc/
Eclipse Public License 1.0
755 stars 90 forks source link

is next-jdbc affected by Log4Shell CVE-2021-44228? #196

Closed jkndrkn closed 2 years ago

jkndrkn commented 2 years ago

I noticed that log4j is a :test dependency of next-jdbc. I am assuming that this means that log4j is not used by the next-jdbc production code path and that next-jdbc is not vulnerable to the log4shell exploit but our team just wants to be sure.

Thank you!

seancorfield commented 2 years ago

Correct. You can verify this as follows:

> clojure -Sdeps '{:deps {com.github.seancorfield/next.jdbc {:mvn/version "1.2.753"}}}' -Stree
org.clojure/clojure 1.10.3
  . org.clojure/spec.alpha 0.2.194
  . org.clojure/core.specs.alpha 0.2.56
com.github.seancorfield/next.jdbc 1.2.753
  . org.clojure/java.data 1.0.92
    . org.clojure/tools.logging 1.1.0
  . camel-snake-kebab/camel-snake-kebab 0.4.2

Since you need a JDBC driver library, in order to use next.jdbc, you'll want to check that JDBC driver library dependency for vulnerabilities.