apache
HIVE-28164: Remove log4j transitive dependency
What changes were proposed in this pull request?
There are dependency like accumulo and slf4j bringing log4j vulnerable jars in dependency tree. There are few dependencies also which don't appear in dependecy tree but are bringing old and vulnerable log4j. This can be observed in local m2 repo cache.
Why are the changes needed?
For CVE's and security reasons.
Does this PR introduce any user-facing change?
NO
Is the change a dependency upgrade?
Yes, here is new dependency tree: new-dependency-tree.txt
How was this patch tested?
Will see the UT from CI
@zabetak, if you have bandwidth can you please review and provide your inputs on this?
Apologies for the late response, Have updated the PR with suggested changes. I have created a new enforcer execution step to search for transitive dependencies of log4j. The scope of this PR is to only exclude log4j.
Quality Gate passed
Issues
1 New issue
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
![sonarqubecloud[bot] avatar](https://avatars.githubusercontent.com/in/12526?v=4 "Published by a pub.dev verified publisher"){kind=small}
Quality Gate passed
Issues
1 New issue
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Feel free to reach out on the [email protected] list if the patch is in need of reviews.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks @zabetak , for the review. your insights are always appreciated. I will address the review comments :-)
Quality Gate passed
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
See analysis details on SonarCloud