I just took a look at the code and there is only one commented out line that mentions log4j in the html validator code. "git grep log4j" shows the string appearing in plenty of other places, but it doesn't look like log4jh actually gets used anywhere!
Scott On Thu, Mar 23, 2023 at 9:59 PM Eirik Bakke <eba...@ultorg.com> wrote: > Is there any reason to use log4j instead of java.util.logging these days? > If log4j is only use in one place in the NetBeans codebase, it might be > beneficial to get rid of it in any case--one less dependency, and fewer > overlapping logging libraries. > > -- Eirik > > -----Original Message----- > From: Matthias Bläsing <mblaes...@doppel-helix.eu.INVALID> > Sent: Thursday, March 23, 2023 2:48 PM > To: dev@netbeans.apache.org > Subject: Re: log4j > > Hi, > > Am Donnerstag, dem 23.03.2023 um 09:53 -0400 schrieb William Shackleford: > > Netbeans appears to include log4j even the most recent version. > > > > in > > > > netbeans/ide/modules/ext/log4j-1.2.15.jar > > > > Our IT security group has flagged it and requires that it be removed > > even though as it is version 1 it is not vulnerable to the most famous > > issue as apparently there were other issues and it is no longer > supported. > > > > What are the consequences of removing it? > > If I saw it correctly, log4j is used by the html validator only. > Anything that calls into that might break. That also might happen > indirectly. > > > > > How would I go about committing or just suggestion a change to have > > it removed from future versions > > Have a look at the html.parser and html.validator modules. Both most > probably need to be updated or might be patched not to carry log4j. > Patching html.validator might be the quickest way, updates to current > version might be better in the long run. > > The hard > > > to avoid triggering our security team from telling everyone to delete > > it and maybe all of netbeans with it? > > The alternative is: Solve organisational problems inside the organisation. > If the security team indeed has the misconception that "has log4j === is > vulnerable", than you might need a new security team. > > My status on the CVEs: > > - CVE-2019-17571: SocketServer needs to be explicitly loaded, we are not > vulnerable > - CVE-2020-9488: We don't use the SMTPAppender, we are not vulnerable > - CVE-2021-4104: We don't use the JMSAppender, we are not vulnerabe > - CVE-2022-23302: We don't use the JMSSink, we are not vulnerable > - CVE-2022-23305: We don't use the JDBCAppender, we are not vulnerable > - CVE-2022-23307: Apache Chainsaw is not used > > Greetings > > Matthias > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org > For additional commands, e-mail: dev-h...@netbeans.apache.org > > For further information about the NetBeans mailing lists, visit: > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org > For additional commands, e-mail: dev-h...@netbeans.apache.org > > For further information about the NetBeans mailing lists, visit: > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists > > > >
