[
https://issues.apache.org/jira/browse/PHOENIX-7169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nihal Jain updated PHOENIX-7169:
--------------------------------
Description:
Apache phoenix-connectors has log4j:log4j:1.2.17 as direct dependency (See
[https://github.com/apache/phoenix-connectors/blob/master/pom.xml#L830]), which
is vulnerable: [https://security.snyk.io/package/maven/log4j:log4j/1.2.17]
In my org, this dependency is not even allowed to be downloaded and hence I
can't even build the code in it's current state.
With this ticket I plan to completely remove it from the project.
CC: [~stoty]
was:
Apache phoenix-connectors has log4j:log4j:1.2.17 as direct dependency (See
https://github.com/apache/phoenix-connectors/blob/80abdb4e7886765af6bc8cfc7f893cf7e74f0b8c/pom.xml#L832),
which is vulnerable:
[https://security.snyk.io/package/maven/log4j:log4j/1.2.17]
In my org, this dependency is not even allowed to be downloaded and hence I
can't even build the code in it's current state.
With this ticket I plan to completely remove it from the project.
CC: [~stoty]
> Phoenix-connectors should not depend on log4j:log4j
> ---------------------------------------------------
>
> Key: PHOENIX-7169
> URL: https://issues.apache.org/jira/browse/PHOENIX-7169
> Project: Phoenix
> Issue Type: Improvement
> Components: connectors, hive-connector, spark-connector
> Reporter: Nihal Jain
> Assignee: Nihal Jain
> Priority: Major
> Labels: security
>
> Apache phoenix-connectors has log4j:log4j:1.2.17 as direct dependency (See
> [https://github.com/apache/phoenix-connectors/blob/master/pom.xml#L830]),
> which is vulnerable:
> [https://security.snyk.io/package/maven/log4j:log4j/1.2.17]
> In my org, this dependency is not even allowed to be downloaded and hence I
> can't even build the code in it's current state.
> With this ticket I plan to completely remove it from the project.
> CC: [~stoty]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
