Is there any reason to use log4j instead of java.util.logging these days? If log4j is only use in one place in the NetBeans codebase, it might be beneficial to get rid of it in any case--one less dependency, and fewer overlapping logging libraries.
-- Eirik -----Original Message----- From: Matthias Bläsing <mblaes...@doppel-helix.eu.INVALID> Sent: Thursday, March 23, 2023 2:48 PM To: dev@netbeans.apache.org Subject: Re: log4j Hi, Am Donnerstag, dem 23.03.2023 um 09:53 -0400 schrieb William Shackleford: > Netbeans appears to include log4j even the most recent version. > > in > > netbeans/ide/modules/ext/log4j-1.2.15.jar > > Our IT security group has flagged it and requires that it be removed > even though as it is version 1 it is not vulnerable to the most famous > issue as apparently there were other issues and it is no longer supported. > > What are the consequences of removing it? If I saw it correctly, log4j is used by the html validator only. Anything that calls into that might break. That also might happen indirectly. > > How would I go about committing or just suggestion a change to have > it removed from future versions Have a look at the html.parser and html.validator modules. Both most probably need to be updated or might be patched not to carry log4j. Patching html.validator might be the quickest way, updates to current version might be better in the long run. The hard > to avoid triggering our security team from telling everyone to delete > it and maybe all of netbeans with it? The alternative is: Solve organisational problems inside the organisation. If the security team indeed has the misconception that "has log4j === is vulnerable", than you might need a new security team. My status on the CVEs: - CVE-2019-17571: SocketServer needs to be explicitly loaded, we are not vulnerable - CVE-2020-9488: We don't use the SMTPAppender, we are not vulnerable - CVE-2021-4104: We don't use the JMSAppender, we are not vulnerabe - CVE-2022-23302: We don't use the JMSSink, we are not vulnerable - CVE-2022-23305: We don't use the JDBCAppender, we are not vulnerable - CVE-2022-23307: Apache Chainsaw is not used Greetings Matthias --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
