In our Sonatype scan for security vulnerability, we are getting log4j:1.2.17 as a security threat. It seems log4j is coming as part of slf4j-log4j12, a library that we are using in our code. I was thinking to exclude log4j in the pom.xml, so it will be something like:
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.30</version>
<exclusions>
<exclusion>
<artifactId>log4j</artifactId>
<groupId>log4j</groupId>
</exclusion>
</exclusions>
</dependency>
Compiling and running the project, it seems to be working fine. I am just wondering what would be the side effect of excluding the library like it? Are we going to get run-time errors? Any information in this area would be appreciated.
I had exactly same issue. It is not generating any runtime error. My dependency on pom like this
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<exclusions>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>