You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Attached is the report generated by OWASP Dependency Check, invoked as a gradle plugin, for the project. The benefit of invocation by way of the build system is the tool is able to detect more than through build file or artifact analysis alone.
In this case, it detected plugin org.jetbrains.dokka:1.9.20 is bringing in org.apache.log4j:1.2.17.2 which has a ton of nasty security defects associated with it including malicious code execution and network shenanigans. Here is where the plugin is referenced in the build file.
To be clear - the vulnerable dependency is brought in ONLY during the build process by a gradle plugin. It is NOT present in the deliverable.
My view is that this is not of immediate concern, but, we should get this out of our build chain. It's end-of-life known vulnerable code that serves no purpose other than to grow risk.
ACs
your mission, should you choose to accept it, is to remove the reference to org.apache.log4j:1.2.17.2 from the project. This can be accomplished by removing the dokka plugin alltogether. This can also be accomplished by forcing the build chain to use a different logger. The current version of that plugin in maven central is 1.9.20 - so bumping the version is not an option.
The text was updated successfully, but these errors were encountered:
dependency-check-report.html.zip
synopsis
Attached is the report generated by OWASP Dependency Check, invoked as a gradle plugin, for the project. The benefit of invocation by way of the build system is the tool is able to detect more than through build file or artifact analysis alone.
In this case, it detected plugin
org.jetbrains.dokka:1.9.20
is bringing inorg.apache.log4j:1.2.17.2
which has a ton of nasty security defects associated with it including malicious code execution and network shenanigans. Here is where the plugin is referenced in the build file.To be clear - the vulnerable dependency is brought in ONLY during the build process by a gradle plugin. It is NOT present in the deliverable.
My view is that this is not of immediate concern, but, we should get this out of our build chain. It's end-of-life known vulnerable code that serves no purpose other than to grow risk.
ACs
your mission, should you choose to accept it, is to remove the reference to
org.apache.log4j:1.2.17.2
from the project. This can be accomplished by removing thedokka
plugin alltogether. This can also be accomplished by forcing the build chain to use a different logger. The current version of that plugin in maven central is 1.9.20 - so bumping the version is not an option.The text was updated successfully, but these errors were encountered: