On 9 Feb 2023, at 11:27, Carfield Yim wrote:
Thanks a lot Mark, just wonder if any update about this?
Haven't a chance yet - we've unfortunately been hit with a rather large national cyclone (Gabrielle) which hasn't really done much for my focus.
That being said, where did you see the log4j references originally? I can't spot them in any dependency trees
Mark
"The ease with which a change can be implemented has no relevance at all to whether it is the right change for the (Java) Platform for all time." — Mark Reinhold.
Mark Derricutt
http://www.chaliceofblood.net
http://www.theoryinpractice.net
http://twitter.com/talios
http://facebook.com/mderricutt
On 9 Feb 2023, at 11:27, Carfield Yim wrote:
Thanks a lot Mark, just wonder if any update about this?
For what it's worth - I just released 1.9.1 with updated dependencies.
I've temporarily disabled the Autodoc IT ( after upgrading it to 1.1.2 ) as it's internally giving an odd bug with expecting Strings and getting Character's passed around internally.
I've been thinking of killing off some of these other goals such as autodoc etc. and leaving just the compile/test tho.
On 14 Feb 2023, at 22:35, Mark Derricutt wrote:
For what it's worth - I just released 1.9.1 with updated dependencies.
Interesting - the Sonatype SBOM report does actually show l...@1.2.12 still being there, even tho the dependency:tree plugin didn't.
So I'm adding both the cyclonedx-maven-plugin
and oss-index
plugins to the build to try and track this down.
On 15 Feb 2023, at 1:19, Carfield Yim wrote:
Thanks a lot Mark!
And resolved - just released 1.9.2.
The project had a dependency on an OLD, unused earlier version of the maven-toolchains artefact which did include log4j 1.2, however - long ago in the Maven 3.x development process support for toolchains was moved into the core project.
The dependency:tree plugin was showing that the artefact was overridden by core, so never actually checked it for violations - as it's not actually a run-time issue.
Resolved now however - leaving only Guava as listing a violation, but I've listed that as an excluded violation as theres as-yet no updated release.
Mark