Hakan Altindag created LOG4J2-2987:
--------------------------------------
Summary: Snyk reports vulnerability for log4j-to-slf4j caused by
junit transitive depedency
Key: LOG4J2-2987
URL: https://issues.apache.org/jira/browse/LOG4J2-2987
Project: Log4j 2
Issue Type: Improvement
Components: SLF4J Bridge
Affects Versions: 2.14.0
Reporter: Hakan Altindag
Attachments: image-2020-12-30-11-44-03-287.png
I am using log4j-to-slf4j bridge for my own library. During the regular
vulnerability scan it reported that it has a vulnerability caused by a
transitive dependency from log4j-api which has a compile scoped dependency of
org.junit.jupiter:junit-jupiter-migrationsupport.
See here for a screenshot:
!image-2020-12-30-11-44-03-287.png!
See here for the report:
[https://app.snyk.io/org/hakky54/project/667055da-a0a4-461f-a169-e88bd2f94ce1]
This issue can fixed when adding the test scope to the dependency in the
following file:
https://github.com/apache/logging-log4j2/blob/master/log4j-api/pom.xml
I am not familiar with the code base, so I was not sure if someone did not put
a test scope on purpose... But looking at the other dependencies the following
could also by marked as test scope: junit-vintage-engine,
junit-jupiter-migrationsupport, junit-jupiter-params, junit-jupiter-engine,
assertj-core
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
