Replies: 6 comments 4 replies
-
|
OSS Index is not properly identifying the vulnerability on 2.12.2, but is identifying it on 2.12.1. Please report these issues to OSS Index. Once resolved, DT will correctly identify it. |
Beta Was this translation helpful? Give feedback.
-
|
It is version 2.12.1,I just mistyped.. |
Beta Was this translation helpful? Give feedback.
-
|
log4j-api is not vulnerable. It provides an API contract, but no code implementations. log4j-to-slf4j is a bridge between two logging frameworks. To my knowledge, log4j-core is the only module that is vulnerable. |
Beta Was this translation helpful? Give feedback.
-
|
This looks fine to me, the vuln is in log4j-core, if logs are being bridged
to slf4j who can say what the implementation is. Correctly not reported.
…On Tue, Dec 14, 2021 at 9:02 PM qianweichun ***@***.***> wrote:
It is version 2.12.1,I just mistyped..
[image: 截屏2021-12-15 上午10 59 40]
<https://user-images.githubusercontent.com/45196316/146115349-941e2659-8883-491d-8db5-f20ce0ef7f8c.png>
.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1300 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAG4CXUKVOLHNUDSHY6AUEDURAAMXANCNFSM5KCQBT2Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Beta Was this translation helpful? Give feedback.
-
|
I have uploaded a sbom to dependencytrack including pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3.
There is no vulnerability found. It looks like the identifier is present: Sonatype OSS Index is on.
I see nothing special in the logfile:
Generely vulnerabilities are found: Do I miss something ? Thank you for your help. |
Beta Was this translation helpful? Give feedback.
-
|
The vulnerability could also be identified as |
Beta Was this translation helpful? Give feedback.
-
|
Does anyone have checked a log4j-core 2.x in dependency-track only to check if my installation is ok or not. |
Beta Was this translation helpful? Give feedback.
-
|
Dependency-Track does not use log4j |
Beta Was this translation helpful? Give feedback.
-
|
I have expressed myself in a misleading way. I mean that I have uploaded a sbom from an apllication of us in dependency-track with pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3 included, but this log4j-core finding does not appear in the audit vulnerabilities as you can see in the pictures. The question is if I have installed something wrong according to the images I have posted. If I follow the link https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3 I get a result, but this result is not present in dependency-track in my project. I am not asking if dependency-track uses log4j. Thank you for your help. |
Beta Was this translation helpful? Give feedback.
-
|
Now the vulnerability for log4j is shown. Strange. Maybe a timing problem or just a restart .. |
Beta Was this translation helpful? Give feedback.
-
It is clear that my projects are using log4j 2.12.1, but dependency track could not detect VULs about CVE-2021-44228. What could we do to solve this?
Beta Was this translation helpful? Give feedback.
All reactions