wendellpiez / JATSKit

oXygen XML Editor framework for NISO JATS 1.1 / NLM BITS 2.0
Apache License 2.0
36 stars 32 forks source link

factor out or update log4j? #56

Open wendellpiez opened 1 year ago

wendellpiez commented 1 year ago

The current distribution includes jar files that flag security warnings.

@raducoravu can you offer any tips on how this can be updated?

raducoravu commented 1 year ago

@wendellpiez I do not see anything related to log4j in this framework, can you elaborate?

wendellpiez commented 1 year ago

@raducoravu I am seeing:

https://github.com/wendellpiez/JATSKit/blob/master/log4j-core-2.13.0.jar https://github.com/wendellpiez/JATSKit/blob/master/log4j-api-2.13.0.jar

https://github.com/wendellpiez/JATSKit/commit/b080e7bc3b5dbb8a48a5667fadba4fdf4e1c3f4e

thanks for looking --

raducoravu commented 1 year ago

@wendellpiez sorry, the Jats framework bundled with Oxygen does not have these 2 jars and the JatsKit working copy I had was outdated and I had forgotten to pull the latest content. I suggest you remove both JAR libraries and also remove the references to them from the "jats.framework" which seems to be the only config file using them. By the way, I think I should at some point update the JatsKit framework in Oxygen to your latest changes, should I use the changes from the "master" or "develop" branches?

wendellpiez commented 1 year ago

Excellent @raducoravu, thank you for the assessment.

For updates we should probably go with master unless there's some overriding reason.

If you have any other cleanup to propose or push up, let me know --