Vulnerability on existing ch.qos.logback:logback-classic:1.3.5 library

[mudasar187]

There is a vulnerability reported on ch.qos.logback:logback-classic:1.3.5 in this plugin. Is is possible to update to newer version 1.5.12?

[JLLeitschuh]

Feel free to open a PR! Please include an entry in the CHANGELOG

[henrypratsch]

Hi there, sorry to dig this one out, but we recently had to deal with the vulnerability regarding logback 1.3.5 in this repo and there are some findings I'd like to mention. So, the vulnerability (CVE-2023-6378) still exists within this repo and was resolved in ch.qos.logback:logback-classic:1.3.12. 1.3.5 is used by com.pinterest.ktlint:ktlint-cli:1.0.1. com.pinterest.ktlint:ktlint-cli:1.1.0 is already using a newer logback version 1.3.14 So, in short: Atleast ktlint 1.1.0 should be used. I saw that this version is already partly used within the project, but I still only see 1.0.1 in our dependency graph and it's definitely coming from this repo. ktlint is set here

ktlint {
    version.set("1.1.0")
}

However, 1.0.1 is still used in the project (e.g. in the samples module)

ktlint {
    version = "1.0.1"
}

Is this outdated and can we increase the version to alteast 1.1.0? And do you know why on our dependency graph it still lists ktlint 1.0.1 of being used in this repo?

This is not a crucial issue for us, since the solution mentioned in issue #815 worked for us, but I still think we can clean it up a bit and make sure atleast ktlint 1.1.0 is used instead of the version that includes the vulnerability.