From 2140eeb473fbcb9447f0738271a1afba712cd1e9 Mon Sep 17 00:00:00 2001
From: David Byron <dbyron@salesforce.com>
Date: Thu, 10 Aug 2023 11:44:16 -0700
Subject: [PATCH] chore(dependencies): use version 2.20.0 of log4j-bom

to stay up to date
---
 spinnaker-dependencies/spinnaker-dependencies.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/spinnaker-dependencies/spinnaker-dependencies.gradle b/spinnaker-dependencies/spinnaker-dependencies.gradle
index 503c4e550..37eaa1796 100644
--- a/spinnaker-dependencies/spinnaker-dependencies.gradle
+++ b/spinnaker-dependencies/spinnaker-dependencies.gradle
@@ -57,8 +57,8 @@ dependencies {
    */
    // Log4shell safeguard.  Per analysis, log4j-core is not included in dependencies, but this would prevent transitive inclusion of it by extension
    // platforms.   Doing 2.16.0 which completely removes message lookups AND sets jndi to disabled by default
-   // 2.16.0 is subject to CVE-2021-45105.  2.17.0 is subject to CVE-2021-44832, so use 2.17.1.
-  api(platform("org.apache.logging.log4j:log4j-bom:2.17.1"))
+   // 2.16.0 is subject to CVE-2021-45105.  2.17.0 is subject to CVE-2021-44832, so use >= 2.17.1.
+  api(platform("org.apache.logging.log4j:log4j-bom:2.20.0"))
 
   //Upgrade of spring boot 2.5.x brings groovy 3.x as transitive dependency.
   //To avoid transitive upgrade of groovy, pinning it with enforcedPlatform() closure.