Uploaded image for project: 'Quarkus'
  1. Quarkus
  2. QUARKUS-1717

Manage to log4j-api in RHBQ 2.2.5

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 2.2.5.GA
    • 2.2.5.ER2, 2.2.5.ER3
    • platform, team/prod

      Looking at 2.2.5.Final-redhat-00004, there is still log4j-api 2.17.0 managed http://indy.psi.redhat.com/api/content/maven/remote/group-static/io/quarkus/quarkus-bom/2.2.5.Final-redhat-00004/quarkus-bom-2.2.5.Final-redhat-00004.pom

      janstey@redhat.com mentioned that prodsec requires 2.17.1 even if it is -api that did not have any CVEs

      We (Camel Quarkus) wanted to rely on quarkus-bom managing log4j-api 2.17.1 to fulfill the prodsec requirements, but like this we even cannot override the version in our BOM. I assume in the platform, the quarkus version would win anyway.

        1. Screenshot from 2022-01-31 09-21-28.png
          Screenshot from 2022-01-31 09-21-28.png
          70 kB
        2. Screenshot from 2022-01-31 09-24-36.png
          Screenshot from 2022-01-31 09-24-36.png
          152 kB

            sausingh@redhat.com Saumya Singh
            ppalaga Peter Palaga
            Fedor Dudinskii Fedor Dudinskii
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: