Why is it included if it isn’t used? Ralph
> On Jan 2, 2024, at 4:09 AM, Piotr P. Karwasz <piotr.karw...@gmail.com> wrote: > > Hi, > > While working on PR#2142[1] I noticed that we have an > `a.o.l.l.core.parser` package that depends on Jackson. > > Since Log4j itself never parses log events, I would propose to remove > it from `log4j-core` and optionally move it somewhere else (Chainsaw > or Flume?). > > My main concern is vulnerability exposure: > > * I would like to prevent CVEs like CVE-2019-17571[2] from being > published against `log4j-core` in the future. Dealing with CVEs that > say "code that we never use is vulnerable to..." bring a lot of > useless PR/documentation work: we'll need to explain to users how to > mitigate a vulnerability that is almost never exploitable and our > users will also have to evaluate the exploitability of the CVE in > their own applications, > * in some not so far future we'll need to publish VEX records to > comply with regulation. Every time Jackson will publish a > deserialization vulnerability, we'll need to state that we are > vulnerable. > > What do you think? > > Piotr > > [1] https://github.com/apache/logging-log4j2/pull/2142 > [2] https://www.cvedetails.com/cve/CVE-2019-17571/
