Uploaded image for project: 'Quarkus'
  1. Quarkus
  2. QUARKUS-1717

Manage to log4j-api in RHBQ 2.2.5

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 2.2.5.GA
    • 2.2.5.ER2, 2.2.5.ER3
    • platform, team/prod

    Description

      Looking at 2.2.5.Final-redhat-00004, there is still log4j-api 2.17.0 managed http://indy.psi.redhat.com/api/content/maven/remote/group-static/io/quarkus/quarkus-bom/2.2.5.Final-redhat-00004/quarkus-bom-2.2.5.Final-redhat-00004.pom

      janstey@redhat.com mentioned that prodsec requires 2.17.1 even if it is -api that did not have any CVEs

      We (Camel Quarkus) wanted to rely on quarkus-bom managing log4j-api 2.17.1 to fulfill the prodsec requirements, but like this we even cannot override the version in our BOM. I assume in the platform, the quarkus version would win anyway.

      Attachments

        Issue Links

          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. QUARKUS-1731 Missing log4j-api dependency in maven repo zip

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              sausingh@redhat.com Saumya Singh
              ppalaga Peter Palaga
              Fedor Dudinskii Fedor Dudinskii
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: