[jira] [Commented] (PHOENIX-7169) Phoenix-connectors should not depend on log4j:log4j

Nihal Jain (Jira) Thu, 08 Feb 2024 23:36:05 -0800


    [ 
https://issues.apache.org/jira/browse/PHOENIX-7169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17815939#comment-17815939
 ]


Nihal Jain commented on PHOENIX-7169:
-------------------------------------

I have made some progress here, will put up a WIP PR soon

> Phoenix-connectors should not depend on log4j:log4j
> ---------------------------------------------------
>
>                 Key: PHOENIX-7169
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-7169
>             Project: Phoenix
>          Issue Type: Improvement
>          Components: connectors, hive-connector, spark-connector
>            Reporter: Nihal Jain
>            Assignee: Nihal Jain
>            Priority: Major
>              Labels: security
>
> Apache phoenix-connectors has log4j:log4j:1.2.17 as direct dependency (See 
> [https://github.com/apache/phoenix-connectors/blob/master/pom.xml#L830]), 
> which is vulnerable: 
> [https://security.snyk.io/package/maven/log4j:log4j/1.2.17]
> In my org, this dependency is not even allowed to be downloaded and hence I 
> can't even build the code in it's current state.
> With this ticket I plan to completely remove it from the project.
> CC: [~stoty] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (PHOENIX-7169) Phoenix-connectors should not depend on log4j:log4j

Reply via email to