codecov-commenter
commented
2 years ago Codecov Report
Merging #298 (9929373) into develop (86c9f42) will increase coverage by
0.05%. The diff coverage isn/a.
@@ Coverage Diff @@
## develop #298 +/- ##
===========================================
+ Coverage 52.63% 52.69% +0.05%
===========================================
Files 318 318
Lines 16870 16885 +15
Branches 1046 1017 -29
===========================================
+ Hits 8879 8897 +18
+ Misses 7991 7988 -3 | Impacted Files | Coverage Δ | |
|---|---|---|
| util-core/src/main/scala/com/twitter/io/Buf.scala | 93.27% <0.00%> (-0.54%) |
:arrow_down: |
| ...ore/src/main/scala/com/twitter/util/Activity.scala | 18.59% <0.00%> (ø) |
|
| ...til-core/src/main/scala/com/twitter/util/Var.scala | 97.65% <0.00%> (+0.07%) |
:arrow_up: |
| ...core/src/main/scala/com/twitter/util/Promise.scala | 78.13% <0.00%> (+0.40%) |
:arrow_up: |
| ...ore/src/main/scala/com/twitter/util/Duration.scala | 85.39% <0.00%> (+0.56%) |
:arrow_up: |
| ...til-core/src/main/scala/com/twitter/util/Try.scala | 87.50% <0.00%> (+1.56%) |
:arrow_up: |
| ...ore/src/main/scala/com/twitter/util/Closable.scala | 71.42% <0.00%> (+3.68%) |
:arrow_up: |
| ...in/scala/com/twitter/logging/QueueingHandler.scala | 100.00% <0.00%> (+6.25%) |
:arrow_up: |
| .../scala/com/twitter/util/security/Credentials.scala | 60.00% <0.00%> (+18.33%) |
:arrow_up: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact),ø = not affected,? = missing dataPowered by Codecov. Last update 86c9f42...9929373. Read the comment docs.
mosesn
Problem
sbt has a dependency on log4j2, which was shown recently to have serious security vulnerabilities. The version of sbt currently used by twitter/util, 1.5.5, is vulnerable.
Solution
Update to use sbt 1.6.1, which upgrades the log4j dependency to log4j 2.17.1, which resolves these security vulnerabilities.
From https://eed3si9n.com/sbt-1.6.1:
For details, see The state of the log4j CVE in the Scala ecosystem