ppkarwasz opened a new pull request, #233: URL: https://github.com/apache/commons-logging/pull/233
This is a PoC on how to remove deprecated libraries from the POM file (or move them to the `test` scope) to appease some primitive security scanners. The trick is to extract classes/methods from the Avalon, LogKit and Log4j 1.x libraries that are used in the Commons Logging code and put them in an additional source code directory `src/main/dummy`. **Remark:** The source files in `src/main/dummy` are **not** included in the any Commons Logging artifact. They are only used by the compiler to include the correct signatures in the class files. ## Motivation From a developer perspective the change is useless and the new artifacts should be **identical** to those before this change (except the embedded `pom.xml`, `module-info.class` and the aesthetic change in `Log4JLog`). However many developers struggle to explain to their security experts that having `log4j:log4j` somewhere in a POM file is not a problem (cf. [many questions on SO](https://stackoverflow.com/search?q=maven+download+log4j)). This is also in line with #231. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
