Re: [PR] Remove deprecated dependencies to satisfy security scanners [commons-logging]

Thu, 23 Jan 2025 04:56:54 -0800 


ppkarwasz commented on PR #233:
URL: https://github.com/apache/commons-logging/pull/233#issuecomment-2609741837

   I am not sure what permission someone needs to have, but there are 5 closed 
Dependabot alerts regarding `log4j:log4j`. I think we should take these head on 
and:
   
   - Instead of tricking scanners to believe we don't depend on Log4j 1, 
restore the **optional** dependency of `commons-logging` on `log4j:log4j`.
   - Dismiss all security alerts with a meaningful message.
   
   All such alerts are bogus because:
   
   - From our perspective (unit tests), we don't use **any** Log4j 1 component 
covered by a CVE. The vulnerable code is not reachable.
   - From a consumer perspective the dependency is **optional**, so it is up to 
the consumer to choose if he adds it or not.
   - The simple presence of `log4j:log4j` on the classpath of an application is 
not enough for Commons Logging to use it. To enable Log4j 1 support the user 
must set the `org.apache.commons.logging.Log` system property to an appropriate 
value. Only these legacy implementation are detected using the classpath:
     
https://github.com/apache/commons-logging/blob/26e7dc2ebfa8000a6c4a309c5015b4bebbefa7c1/src/main/java/org/apache/commons/logging/impl/LogFactoryImpl.java#L142-L153
   
   I am closing this PR, since we should rather stand our ground and ask 
Security Scanners to improve their code. The `commons-logging` artifact can not 
possible expose the user to any danger, regardless of the dependency manager 
(Gradle, SBT, Ivy, Maven) they use.
   
   The [CycloneDX 
SBOM](https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.3.4/commons-logging-1.3.4-cyclonedx.xml)
 distributed with `commons-logging` clearly states that all dependencies are 
optional and might not be present at runtime.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to