summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Timoney <dtimoney@att.com>2022-03-23 19:43:18 -0400
committerDan Timoney <dtimoney@att.com>2022-03-23 19:43:18 -0400
commitd94fe513dcb5e0ab5f51bb0ad59f5cd8198751f5 (patch)
tree359e8516c6204eab6b64d8ffdbc543d5ceafe964
parentd08b0904f30ea7696b5c46a4f78ca17e46c6b1a1 (diff)
Document transitive log4j dependencies
Document log4j 1.x transitive dependencies in release notes Issue-ID: CCSDK-3602 Signed-off-by: Dan Timoney <dtimoney@att.com> Change-Id: If32331b32062f386c5beb39e86db8ad36ba4d27a
-rw-r--r--docs/release-notes.rst22
1 files changed, 22 insertions, 0 deletions
diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index 217c2bd9..4b6e2c05 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -64,6 +64,28 @@ The full list of `bugs fixed in the CCSDK Istanbul release <https://jira.onap.o
The full list of `known issues in CCSDK <https://jira.onap.org/issues/?filter=11341>`_ is maintained on the `ONAP Jira`_.
+It should be noted that several CCSDK repositories have a transitive dependency on log4j version 1.x. While this version
+is not vulnerable to the recent 'log4shell' vulnerability, there are other known vulnerabilities in this
+version. The following table summarizes where log4j 1.x is currently used in CCSDK:
+
++----------------+-----------------------------------------------------------------------------------+
+| Repository | Transitive dependencies |
++================+===================================================================================+
+| ccsdk/apps | org.onap.aaf.authz:aaf-misc-env:2.1.21 -> log4j:log4j:1.2.17 |
++----------------+-----------------------------------------------------------------------------------+
+| ccsdk/cds | org.hibernate:hibernate-testing:jar:5.4.32.Final -> log4j:log4j:1.2.17 |
++----------------+-----------------------------------------------------------------------------------+
+| | org.onap.dmaap.messagerouter.dmaapclient:dmaapClient:1.1.5 -> log4j:log4j:1.2.17 |
++----------------+-----------------------------------------------------------------------------------+
+| ccsdk/features | org.onap.aaf.authz:aaf-misc-env:2.1.21 -> log4j:log4j:1.2.17 |
++----------------+-----------------------------------------------------------------------------------+
+| | org.onap.dmaap.messagerouter.dmaapclient:dmaapClient:1.1.12 -> log4j:log4j:1.2.17 |
++----------------+-----------------------------------------------------------------------------------+
+| ccsdk/sli | org.onap.dmaap.messagerouter.dmaapclient:dmaapClient:1.1.12 -> log4j:log4j:1.2.17 | |
++----------------+-----------------------------------------------------------------------------------+
+
+
+
Deliverables
------------