Hibernate-validator contains high severity vulnerability

Description

Hibernate-validator 6.1.5 contains high severity vulnerability, according to Snyk scan:

[WARNING] ✗ high severity vulnerability found on log4j:log4j@1.2.16
[WARNING] - desc: Deserialization of Untrusted Data
[WARNING] - info: https://snyk.io/vuln/SNYK-JAVA-LOG4J-572732
[WARNING] - from: org.hibernate.validator:hibernate-validator@6.1.5.Final > org.jboss.logging:jboss-logging@3.4.1.Final > log4j:log4j@1.2.16

https://snyk.io/vuln/SNYK-JAVA-LOG4J-572732

Environment

Jvm-13-openj9
OS: Osx

Activity

Show:
Guillaume Smet
September 18, 2020, 9:10 AM

The dependency is just provided so it's not included in your project when you use Hibernate Validator.

Søren Jepsen
September 20, 2020, 6:49 AM

Is there a reason, you depend on log4j?

So i can safely exclude the dependency?

Guillaume Smet
September 28, 2020, 2:57 PM

We do not depend on log4j. It's a test dependency.

Just check your dependency tree and you will see it's not there.

That being said, I moved our tests to use Log4j 2 in https://hibernate.atlassian.net/browse/HV-1803 .

So I will close this one as rejected as HV itself does not contain a security vulnerability, it's the tool not properly asserting it's a test dependency.

Assignee

Unassigned

Reporter

Søren Jepsen

Labels

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Suitable for new contributors

None

Pull Request

None

backportDecision

None

backportReEvaluate

None

Components

Affects versions

Priority

Major
Configure