Vulnerability in quarkus-core dependency #43607
-
Hi everyone, I’m facing an issue with Quarkus. The company I work for is strict about vulnerabilities, and AWS Amazon Inspector has pointed out that the Quarkus project is using the library org.jboss.logging.jboss-logging-3.6.0.Final.jar, which relies on the log4j version 1.2.17, leading to several vulnerabilities being flagged: CVE-2019-17571, CVE-2022-23305, CVE-2023-26464, CVE-2022-23302, CVE-2022-23307, CVE-2021-4104, CVE-2020-9488. I tried to exclude the jboss-logging dependency, but this library is used in quarkus-core, and I encountered the following error:
I saw that there’s already a discussion on the jboss-logging project, but there hasn’t been any movement: jboss-logging/jboss-logging#111 Considering that I cannot deploy with AWS Amazon Inspector raising this issue, do you have any suggestions? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
//cc @dmlloyd |
Beta Was this translation helpful? Give feedback.
-
Since we do not include |
Beta Was this translation helpful? Give feedback.
Since we do not include
log4j
, this is not an issue (note that the dependency isprovided
scope). Unfortunately these vulnerability scanners don't always understand the nature of a dependency. But,jboss-logging
cannot be said to depend onlog4j
in any logical sense.