[LOG4J2-2987] Snyk reports vulnerability for log4j-to-slf4j caused by junit transitive depedency - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Not A Problem
Affects Version/s: 2.14.0
Fix Version/s: None
Component/s: SLF4J Bridge
Labels:
None

Description

I am using log4j-to-slf4j bridge for my own library. During the regular vulnerability scan it reported that it has a vulnerability caused by a transitive dependency from log4j-api which has a compile scoped dependency of org.junit.jupiter:junit-jupiter-migrationsupport.

See here for a screenshot:

See here for the report: https://app.snyk.io/org/hakky54/project/667055da-a0a4-461f-a169-e88bd2f94ce1

This issue can fixed when adding the test scope to the dependency in the following file: https://github.com/apache/logging-log4j2/blob/master/log4j-api/pom.xml

I am not familiar with the code base, so I was not sure if someone did not put a test scope on purpose... But looking at the other dependencies the following could also by marked as test scope: junit-vintage-engine, junit-jupiter-migrationsupport, junit-jupiter-params, junit-jupiter-engine, assertj-core

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image-2020-12-30-11-44-03-287.png
30/Dec/20 10:44
235 kB
Hakan Altindag

Activity

People

Assignee:: Unassigned

Reporter:: Hakan Altindag

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 30/Dec/20 10:46

Updated:: 07/Feb/21 22:01

Resolved:: 30/Dec/20 15:53

Time Tracking

Estimated:

Remaining:

Logged:

Not Specified