Hi All, As you might all have heard, some versions of log4j, including 1.x and 2.x have been exposed to remote code execution attacks [1], and the recommendation to avoid this is to upgrade log4j to v2.16.0. Currently, Airavata is running on log4j 1.x, and this [2] pull request should migrate the entire project. to 2.16.0. I have scanned all the dependencies and excluded log4j 1.x related artifacts at the definition level. Any library that depends on log4j 1.x now routes logs through log4j-1.2-api bridge to log4j 2.16.0. If you are adding a new module or dependency to the project in the future, please make sure that following steps are covered.
1. Do not add any log4j related dependency to any module. All are loaded at the main pom level so you can use it. 2. If you are adding a new dependency, make sure that it does not include any log4j dependency in to the project. If it does, exclude it at the definition level. Example - [3] . You can scan derived dependencies by running mvn dependency:tree | grep log4j 3. Always use slf4j logging API to add logs in to the code [1] https://www.lunasec.io/docs/blog/log4j-zero-day/ [2] https://github.com/apache/airavata/pull/275/files [3] https://github.com/apache/airavata/pull/275/files#diff-d5149326cfe403e4106239a432c405d04be11f1588a3d566526b4ce547fcea0bR111 Thanks Dimuthu
