Hibernate-validator contains high severity vulnerability

Description

Hibernate-validator 6.1.5 contains high severity vulnerability, according to Snyk scan:

[WARNING] ✗ high severity vulnerability found on log4j:log4j@1.2.16
[WARNING] - desc: Deserialization of Untrusted Data
[WARNING] - info: https://snyk.io/vuln/SNYK-JAVA-LOG4J-572732
[WARNING] - from: org.hibernate.validator:hibernate-validator@6.1.5.Final > org.jboss.logging:jboss-logging@3.4.1.Final > log4j:log4j@1.2.16

https://snyk.io/vuln/SNYK-JAVA-LOG4J-572732

Environment

Jvm-13-openj9
OS: Osx

Activity

Show:

Guillaume Smet

September 18, 2020, 9:10 AM

Copy link to comment

The dependency is just provided so it's not included in your project when you use Hibernate Validator.

Søren Jepsen

September 20, 2020, 6:49 AM

Copy link to comment

Is there a reason, you depend on log4j?

So i can safely exclude the dependency?

Guillaume Smet

September 28, 2020, 2:57 PM

Copy link to comment

We do not depend on log4j. It's a test dependency.

Just check your dependency tree and you will see it's not there.

That being said, I moved our tests to use Log4j 2 in https://hibernate.atlassian.net/browse/HV-1803 .

So I will close this one as rejected as HV itself does not contain a security vulnerability, it's the tool not properly asserting it's a test dependency.

Assignee

Unassigned

Reporter

Søren Jepsen

Labels

log

logging

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Suitable for new contributors

None

Pull Request

None

backportDecision

None

backportReEvaluate

None

Components

engine

Affects versions

6.1.5.Final

Priority

Major

Configure