[PHOENIX-7169] Phoenix-connectors should not depend on log4j:log4j - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: connectors, hive-connector, spark-connector
Labels:
- security

Description

Apache phoenix-connectors has log4j:log4j:1.2.17 as direct dependency (See https://github.com/apache/phoenix-connectors/blob/master/pom.xml#L830), which is vulnerable: https://security.snyk.io/package/maven/log4j:log4j/1.2.17

In my org, this dependency is not even allowed to be downloaded and hence I can't even build the code in it's current state.

With this ticket I plan to completely remove it from the project.

Attachments

Issue Links

is depended upon by

PHOENIX-6938 Prepare for for the first Phoenix Connectors release

Open

Activity

People

Assignee:: Nihal Jain

Reporter:: Nihal Jain

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/Jan/24 17:03

Updated:: 09/Feb/24 09:17