JFrog and Log4J dependency

[videoguy]

I understand JFrog uses libs that use Apache java libs. There is a security issue reported against Log4j. Does jfrog lib has direct/indirect dependency on log4j? Does a jfrog lib package end up carrying a flavor of log4j that is vulnerable?

Thanks

[yahavi]

@videoguy The Artifactory Java client 1.10.0 and above contains no vulnerable dependencies, direct or transitive. This library uses slf4j-api:1.7.32, log4j-over-slf4j:1.7.32, and jcl-over-slf4j:1.7.32 , which are not reported as vulnerable.

Using vulnerable dependencies (direct or transitive) is forbidden in JFrog. All of our builds are scanned by JFrog Xray, using audit or build-scan commands that fail the build if vulnerable dependencies are found. Specifically, in the release process of the Artifactory Java client, we run the audit command: https://github.com/jfrog/artifactory-client-java/blob/2.11.1/release/pipelines.release.yml#L57. We also use JFrog IDEA plugin to detect vulnerabilities in development time.

Please let me know if you have more questions.

[videoguy]

We have a tool that we built leveraging jfrog lib. I was asked this question about Log4J as it is java based tool. It is good to know that you have solid post build scan process to look for these issues and stop in early stages. I need to check if we are using 1.10.0 or later version of jfrog. Just curious, How is the log4j-over-slf4j is different from Apache Log4j?