Hi, On Mon, Dec 13, 2021 at 11:36 AM Carsten Ziegeler <cziege...@apache.org> wrote: > ...we could state that Sling based applications are not affected if they > use the standard logging setup with commons log and log4j-over-slf4j and > if there no application bundles embedding a vulnerable log4j version...
Isn't there a (vague) risk that one of our transitive dependencies embeds log4j2 ? If we make a statement I think it should include the list of modules we have checked as "not embedding log4j2" and describe the method used for that check. I suppose running "mvn dependency:tree | grep <some pattern>" is a reasonable way of checking, so maybe this can be the script used to check, from the top of a complete checkout of the Sling modules: $ export PATTERN=<grep pattern that detects unwanted dependencies> $ find . -name pom.xml | while read pom; do pushd $(dirname $pom); mvn dependency:tree | grep $PATTERN ; popd ; done -Bertrand