Questions tagged [log4j-1.2-cve]

2 questions

votes

3 answers

How to quickly detect and remove log4j classes from our code base and the base image? "mvn dependency:tree" does not check base image

We are building an app based on Red Hat JBoss AMQ 6. We wrap some Java code around the base image to provide extra functionalities which are lacking in AMQ 6. Now, when the CVE of Log4j stroke, we found that this component is vulnerable because it…

asked Dec 13 '21 at 10:52

WesternGun

11,303
6
88
157

votes

1 answer

jib - customized entrypoint can only remove classes at runtime, but will fail 3pp vulnerability check before deployment

I am using Jib to pull a base image, add my wrapper java code to it, and build my image on top of that. Due to the widely known log4j CVE in December 2021, we are looking for a way to remove the vulnerable classes. (Now more CVEs are found in 2022,…

jib maven-jib log4j-1.2-cve

asked Feb 24 '22 at 09:36

WesternGun

11,303
6
88
157