Document transitive log4j dependencies

Document log4j 1.x transitive dependencies in release notes Issue-ID: CCSDK-3602 Signed-off-by: Dan Timoney <dtimoney@att.com> Change-Id: If32331b32062f386c5beb39e86db8ad36ba4d27a (cherry picked from commit d94fe513dcb5e0ab5f51bb0ad59f5cd8198751f5)
author: Dan Timoney <dtimoney@att.com> 2022-03-23 19:43:18 -0400
committer: Dan Timoney <dtimoney@att.com> 2022-03-24 12:43:42 +0000
commit: 3d4c5dfb9e185c1e93a246c5b0d4462931aebb89 (patch)
tree: 363859a097510f124eb0d937ffeba26e7439d1b9
parent: 6e99580c2a69d2cbd2994dc51e6f305313248a91 (diff)
1 files changed, 22 insertions, 0 deletions
diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index 217c2bd9..4b6e2c05 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -64,6 +64,28 @@ The full list of `bugs fixed in the CCSDK  Istanbul release <https://jira.onap.o
 
 The full list of `known issues in CCSDK <https://jira.onap.org/issues/?filter=11341>`_ is maintained on the `ONAP Jira`_.
 
+It should be noted that several CCSDK repositories have a transitive dependency on log4j version 1.x.  While this version
+is not vulnerable to the recent 'log4shell' vulnerability, there are other known vulnerabilities in this
+version.  The following table summarizes where log4j 1.x is currently used in CCSDK:
+
++----------------+-----------------------------------------------------------------------------------+
+| Repository     | Transitive dependencies                                                           |
++================+===================================================================================+
+| ccsdk/apps     | org.onap.aaf.authz:aaf-misc-env:2.1.21 -> log4j:log4j:1.2.17                      |
++----------------+-----------------------------------------------------------------------------------+
+| ccsdk/cds      | org.hibernate:hibernate-testing:jar:5.4.32.Final -> log4j:log4j:1.2.17            |
++----------------+-----------------------------------------------------------------------------------+
+|                | org.onap.dmaap.messagerouter.dmaapclient:dmaapClient:1.1.5 -> log4j:log4j:1.2.17  |
++----------------+-----------------------------------------------------------------------------------+
+| ccsdk/features | org.onap.aaf.authz:aaf-misc-env:2.1.21 -> log4j:log4j:1.2.17                      |
++----------------+-----------------------------------------------------------------------------------+
+|                | org.onap.dmaap.messagerouter.dmaapclient:dmaapClient:1.1.12 -> log4j:log4j:1.2.17 |
++----------------+-----------------------------------------------------------------------------------+
+| ccsdk/sli      | org.onap.dmaap.messagerouter.dmaapclient:dmaapClient:1.1.12 -> log4j:log4j:1.2.17 |                                                                                |
++----------------+-----------------------------------------------------------------------------------+
+
+
+
 Deliverables
 ------------
author	Dan Timoney <dtimoney@att.com>	2022-03-23 19:43:18 -0400
committer	Dan Timoney <dtimoney@att.com>	2022-03-24 12:43:42 +0000
commit	3d4c5dfb9e185c1e93a246c5b0d4462931aebb89 (patch)
tree	363859a097510f124eb0d937ffeba26e7439d1b9
parent	6e99580c2a69d2cbd2994dc51e6f305313248a91 (diff)