Merge pull request #22123 from gsmet/log4j2-api-update

Update Log4j 2 API to 2.15.0
quarkusio · Dec 11, 2021 · 6bf55dc · 6bf55dc
2 parents 55c5918 + aead1da
commit 6bf55dc
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -27,6 +27,7 @@ updates:
       - dependency-name: com.vackosar.gitflowincrementalbuilder:gitflow-incremental-builder
       - dependency-name: org.jboss.logging:*
       - dependency-name: org.jboss.logmanager:*
+      - dependency-name: org.apache.logging.log4j:log4j-api
       - dependency-name: org.ow2.asm:*
       - dependency-name: org.glassfish:jakarta-el
       - dependency-name: com.google.cloud.tools:jib-core

diff --git a/bom/application/pom.xml b/bom/application/pom.xml
@@ -185,6 +185,7 @@
         <gson.version>2.8.6</gson.version>
         <webjars-locator-core.version>0.46</webjars-locator-core.version>
         <log4j2-jboss-logmanager.version>1.0.0.Final</log4j2-jboss-logmanager.version>
+        <log4j2-api.version>2.15.0</log4j2-api.version>
         <log4j-jboss-logmanager.version>1.2.2.Final</log4j-jboss-logmanager.version>
         <avro.version>1.11.0</avro.version>
         <apicurio-registry.version>2.1.3.Final</apicurio-registry.version>
@@ -2654,6 +2655,15 @@
                     </exclusion>
                 </exclusions>
             </dependency>
+            <!--
+            While we are not affected by CVE-2021-4428 as we are only using the Log4j2 API,
+            we enforce an updated version so that security scanners don't detect false positives.
+            -->
+            <dependency>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-api</artifactId>
+                <version>${log4j2-api.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.jboss.logmanager</groupId>
                 <artifactId>log4j-jboss-logmanager</artifactId>