[
https://issues.apache.org/jira/browse/PHOENIX-7169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17804138#comment-17804138
]
Istvan Toth commented on PHOENIX-7169:
--------------------------------------
I realize that security policies are not known for making sense or being
rational, but log4j is only there to EXCLUDE log4j.
If you check the pom, log4j only appears as PROVIDED, to exlcude it from the
generated shaded artifacts, and in explicit excplicit exclusion elements.
I'm not sure how you can remove log4j without breaking the build, but if you
can, then go ahead.
> Phoenix-connectors should not depend on log4j:log4j
> ---------------------------------------------------
>
> Key: PHOENIX-7169
> URL: https://issues.apache.org/jira/browse/PHOENIX-7169
> Project: Phoenix
> Issue Type: Improvement
> Components: connectors, hive-connector, spark-connector
> Reporter: Nihal Jain
> Assignee: Nihal Jain
> Priority: Major
> Labels: security
>
> Apache phoenix-connectors has log4j:log4j:1.2.17 as direct dependency (See
> [https://github.com/apache/phoenix-connectors/blob/master/pom.xml#L830]),
> which is vulnerable:
> [https://security.snyk.io/package/maven/log4j:log4j/1.2.17]
> In my org, this dependency is not even allowed to be downloaded and hence I
> can't even build the code in it's current state.
> With this ticket I plan to completely remove it from the project.
> CC: [~stoty]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
