[
https://issues.apache.org/jira/browse/LOG4J2-2987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17256557#comment-17256557
]
Matt Sicker commented on LOG4J2-2987:
-------------------------------------
This is odd. We set the scope of all our test dependencies in the parent pom:
[https://github.com/apache/logging-log4j2/blob/86353b026cbdb573bf9d3056ce47c602e9962c4d/pom.xml#L693-L763]
Could be a bug in Snyk's Maven support?
> Snyk reports vulnerability for log4j-to-slf4j caused by junit transitive
> depedency
> ----------------------------------------------------------------------------------
>
> Key: LOG4J2-2987
> URL: https://issues.apache.org/jira/browse/LOG4J2-2987
> Project: Log4j 2
> Issue Type: Improvement
> Components: SLF4J Bridge
> Affects Versions: 2.14.0
> Reporter: Hakan Altindag
> Priority: Minor
> Attachments: image-2020-12-30-11-44-03-287.png
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> I am using log4j-to-slf4j bridge for my own library. During the regular
> vulnerability scan it reported that it has a vulnerability caused by a
> transitive dependency from log4j-api which has a compile scoped dependency of
> org.junit.jupiter:junit-jupiter-migrationsupport.
> See here for a screenshot:
> !image-2020-12-30-11-44-03-287.png!
> See here for the report:
> [https://app.snyk.io/org/hakky54/project/667055da-a0a4-461f-a169-e88bd2f94ce1]
>
> This issue can fixed when adding the test scope to the dependency in the
> following file:
> https://github.com/apache/logging-log4j2/blob/master/log4j-api/pom.xml
> I am not familiar with the code base, so I was not sure if someone did not
> put a test scope on purpose... But looking at the other dependencies the
> following could also by marked as test scope: junit-vintage-engine,
> junit-jupiter-migrationsupport, junit-jupiter-params, junit-jupiter-engine,
> assertj-core
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
