ormlite-android icon indicating copy to clipboard operation
ormlite-android copied to clipboard
verified publisher icon j256

log4j

Open spyhunter99 opened this issue 3 years ago • 2 comments

Hi i was attempting to publish a library that uses this library as a dependency. oss.sonatype.org send me a "lift" report that flagged this library as having a few security related issues. It looks like it's related to log4j 1.x.

Seeing this in the root pom

yes we know this is an issue but it is here for backwards compatibility

As a user of the library, can we exclude the log4j dependency and have the library still be functional? Alternatively, is there a plan to use some other logging library or a newer version?

spyhunter99 avatar Apr 20 '22 18:04 spyhunter99

Sorry for the delay @spyhunter99 . The log4j dependencies should be marked as optional so it won't be used unless you provide it. Is that not what you are seeing?

j256 avatar May 20 '22 22:05 j256

looks like that was cleared up. It's also complaining about this one

  CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](https://ossindex.sonatype.org/vulnerability/a9c81f11-d02c-4b45-b55f-0eedd1786272?component-type=maven&component-name=com.j256.ormlite.ormlite-android&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0)

spyhunter99 avatar May 21 '22 02:05 spyhunter99