[
https://issues.apache.org/jira/browse/TINKERPOP-2715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17502596#comment-17502596
]
Stephen Mallette commented on TINKERPOP-2715:
---------------------------------------------
understood. our latest release line in 3.6.0 uses logback and hopefully users
will move to it quickly as a replacement for the 3.5.x line which is still on
log4j. so far that has seemed like a sufficient solution that the community has
gotten behind since we've resolved the issue going forward.
as you point to hadoop-gremlin, which is part of 3.6.0, iirc i believe that
problem is with Hadoop. it seems to directly depend on log4j so we couldn't
even replace it if we wanted to. it would be nice to see that fixed - can't
recall if spark had a similar issue, but maybe it inherited that from hadoop
somehow.
I suppose it could be something that is reconsidered for 3.5.x if the CVEs were
severe enough. What are the most critical issues in your view?
> remove log4jv1 dependency
> -------------------------
>
> Key: TINKERPOP-2715
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2715
> Project: TinkerPop
> Issue Type: Improvement
> Components: build-release
> Affects Versions: 3.5.2
> Reporter: PJ Fanning
> Priority: Major
>
> Can this be reconsidered? Log4jv1 has even more open CVEs now.
> [https://repo1.maven.org/maven2/org/apache/tinkerpop/gremlin-driver/3.5.2/gremlin-driver-3.5.2.pom]
> https://issues.apache.org/jira/browse/TINKERPOP-1983
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
