Replies: 6 comments 4 replies
-
|
OSS Index is not properly identifying the vulnerability on 2.12.2, but is identifying it on 2.12.1. Please report these issues to OSS Index. Once resolved, DT will correctly identify it. |
Beta Was this translation helpful? Give feedback.
-
|
It is version 2.12.1,I just mistyped.. |
Beta Was this translation helpful? Give feedback.
-
|
log4j-api is not vulnerable. It provides an API contract, but no code implementations. log4j-to-slf4j is a bridge between two logging frameworks. To my knowledge, log4j-core is the only module that is vulnerable. |
Beta Was this translation helpful? Give feedback.
-
|
This looks fine to me, the vuln is in log4j-core, if logs are being bridged
to slf4j who can say what the implementation is. Correctly not reported.
…On Tue, Dec 14, 2021 at 9:02 PM qianweichun ***@***.***> wrote:
It is version 2.12.1,I just mistyped..
[image: 截屏2021-12-15 上午10 59 40]
<https://user-images.githubusercontent.com/45196316/146115349-941e2659-8883-491d-8db5-f20ce0ef7f8c.png>
.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1300 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAG4CXUKVOLHNUDSHY6AUEDURAAMXANCNFSM5KCQBT2Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Beta Was this translation helpful? Give feedback.
-
|
I have uploaded a sbom to dependencytrack including pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3.
There is no vulnerability found. It looks like the identifier is present: Sonatype OSS Index is on.
I see nothing special in the logfile:
Generely vulnerabilities are found: Do I miss something ? Thank you for your help. |
Beta Was this translation helpful? Give feedback.
-
|
The vulnerability could also be identified as |
Beta Was this translation helpful? Give feedback.
-
|
Does anyone have checked a log4j-core 2.x in dependency-track only to check if my installation is ok or not. |
Beta Was this translation helpful? Give feedback.
-
|
Dependency-Track does not use log4j |
Beta Was this translation helpful? Give feedback.
-
|
I have expressed myself in a misleading way. I mean that I have uploaded a sbom from an apllication of us in dependency-track with pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3 included, but this log4j-core finding does not appear in the audit vulnerabilities as you can see in the pictures. The question is if I have installed something wrong according to the images I have posted. If I follow the link https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3 I get a result, but this result is not present in dependency-track in my project. I am not asking if dependency-track uses log4j. Thank you for your help. |
Beta Was this translation helpful? Give feedback.
-
|
Now the vulnerability for log4j is shown. Strange. Maybe a timing problem or just a restart .. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
It is clear that my projects are using log4j 2.12.1, but dependency track could not detect VULs about CVE-2021-44228. What could we do to solve this?
Beta Was this translation helpful? Give feedback.
All reactions