commons-logging icon indicating copy to clipboard operation
commons-logging copied to clipboard

Published 20 hours ago verified publisher icon apache

Remove deprecated dependencies to satisfy security scanners

Open ppkarwasz opened this issue 11 months ago • 6 comments

This is a PoC on how to remove deprecated libraries from the POM file (or move them to the test scope) to appease some primitive security scanners.

The trick is to extract classes/methods from the Avalon, LogKit and Log4j 1.x libraries that are used in the Commons Logging code and put them in an additional source code directory src/main/dummy.

Remark: The source files in src/main/dummy are not included in the any Commons Logging artifact. They are only used by the compiler to include the correct signatures in the class files.

Motivation

From a developer perspective the change is useless and the new artifacts should be identical to those before this change (except the embedded pom.xml, module-info.class and the aesthetic change in Log4JLog).

However many developers struggle to explain to their security experts that having log4j:log4j somewhere in a POM file is not a problem (cf. many questions on SO). This is also in line with #231.

ppkarwasz avatar Mar 17 '24 19:03 ppkarwasz