From 708ac736ab3fc14edb21e67bc8be9c4b6768cdf0 Mon Sep 17 00:00:00 2001 From: Guillaume Smet Date: Fri, 10 Dec 2021 22:56:07 +0100 Subject: [PATCH] Update Log4j 2 API to 2.15.0 While we are not affected by CVE-2021-4428 as we are only using the Log4j2 API and not the implementation which contains the security flaw, security scanners are known to not always be as fine grained as we would have liked and we don't want Quarkus to be reported as unsafe because of false positives. (cherry picked from commit aead1da0e08a4fc8f57036de83afc78ad472c072) --- .github/dependabot.yml | 1 + bom/application/pom.xml | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 49a5c960c7239..fcb4696603460 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -27,6 +27,7 @@ updates: - dependency-name: com.jcraft:jzlib - dependency-name: org.jboss.logging:* - dependency-name: org.jboss.logmanager:* + - dependency-name: org.apache.logging.log4j:log4j-api - dependency-name: org.glassfish:jakarta-el # Quarkus - dependency-name: io.quarkus.gizmo:gizmo diff --git a/bom/application/pom.xml b/bom/application/pom.xml index 987820c4ee395..f55cf17413a45 100644 --- a/bom/application/pom.xml +++ b/bom/application/pom.xml @@ -198,6 +198,7 @@ 2.8.6 0.46 1.0.0.Final + 2.15.0 1.2.2.Final 1.10.2 2.0.1.Final @@ -2780,6 +2781,15 @@ + + + org.apache.logging.log4j + log4j-api + ${log4j2-api.version} + org.jboss.logmanager log4j-jboss-logmanager