Hibernate-validator contains high severity vulnerability
Description
Hibernate-validator 6.1.5 contains high severity vulnerability, according to Snyk scan:
[WARNING] ✗ high severity vulnerability found on log4j:log4j@1.2.16
[WARNING] - desc: Deserialization of Untrusted Data
[WARNING] - info: https://snyk.io/vuln/SNYK-JAVA-LOG4J-572732
[WARNING] - from: org.hibernate.validator:hibernate-validator@6.1.5.Final > org.jboss.logging:jboss-logging@3.4.1.Final > log4j:log4j@1.2.16
Environment
Jvm-13-openj9
OS: Osx
Activity
We do not depend on log4j. It's a test dependency.
Just check your dependency tree and you will see it's not there.
That being said, I moved our tests to use Log4j 2 in https://hibernate.atlassian.net/browse/HV-1803 .
So I will close this one as rejected as HV itself does not contain a security vulnerability, it's the tool not properly asserting it's a test dependency.
Is there a reason, you depend on log4j?
So i can safely exclude the dependency?
The dependency is just provided so it's not included in your project when you use Hibernate Validator.