Hibernate-validator 6.1.5 contains high severity vulnerability, according to Snyk scan:
[WARNING] ✗ high severity vulnerability found on log4j:email@example.com
[WARNING] - desc: Deserialization of Untrusted Data
[WARNING] - info: https://snyk.io/vuln/SNYK-JAVA-LOG4J-572732
[WARNING] - from: org.hibernate.validator:firstname.lastname@example.org.Final > org.jboss.logging:email@example.com.Final > log4j:firstname.lastname@example.org
The dependency is just provided so it's not included in your project when you use Hibernate Validator.
Is there a reason, you depend on log4j?
So i can safely exclude the dependency?
We do not depend on log4j. It's a test dependency.
Just check your dependency tree and you will see it's not there.
That being said, I moved our tests to use Log4j 2 in https://hibernate.atlassian.net/browse/HV-1803 .
So I will close this one as rejected as HV itself does not contain a security vulnerability, it's the tool not properly asserting it's a test dependency.