Hey guys Let’s be courteous and civil. As part of vulnerability management, an assessment has to be made about the potential security impact of a vulnerability in software.
New vulnerabilities are found every day on older components and it is not practical nor feasible to chase down every rabbit. What I read from this chain is 1. The business application is not exposed to any log4j vulnerability - that’s the most important 2. The maven build environment might (can’t confirm at this point) download a transitive dependency on log4j 1.x which has a newly found vulnerability. IMHO the impact is low. it’s a build environment, not actual business application and you surely don’t (and shouldn’t) build on your production systems. The probability of occurrence of an attack on this is probably null, knowing that attack vectors on log4j involve tricking the exposed application into logging something malicious, and a build environment does not expose logging to outside like a web app would. Based on this, I’d flag those occurrences at the scanner as assessed and ignored and move on. As a best practice, clean up your build environment after each build. Or use ephemeral containerized build environments. > On Mar 3, 2022, at 02:53, Thomas Matthijs <li...@selckin.be> wrote: > > That was just to demonstrate how i got the dependency chain, that file > was there, but if you're going to be this hostile, i'm not interested > anymore, muting thread > >> On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło <piotr.zygi...@gmail.com> wrote: >> >>> On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs <li...@selckin.be> wrote: >>> >>> Can confirm this project downloads log4j 1.12.12 for me >> >> As I see it - you confirm something else. >> >>> Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: >> >> Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: >> _artifact descriptor_ >> >> -- >> Piotrek >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> For additional commands, e-mail: dev-h...@maven.apache.org >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
