From: Dan Timoney <dtimoney@att.com>
Date: Wed, 23 Mar 2022 23:43:18 +0000 (-0400)
Subject: Document transitive log4j dependencies
X-Git-Tag: 1.3.1~4
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=ccsdk%2Fdistribution.git;a=commitdiff_plain;h=3d4c5dfb9e185c1e93a246c5b0d4462931aebb89

Document transitive log4j dependencies

Document log4j 1.x transitive dependencies in release notes

Issue-ID: CCSDK-3602
Signed-off-by: Dan Timoney <dtimoney@att.com>
Change-Id: If32331b32062f386c5beb39e86db8ad36ba4d27a
(cherry picked from commit d94fe513dcb5e0ab5f51bb0ad59f5cd8198751f5)
---

diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index 217c2bd9..4b6e2c05 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -64,6 +64,28 @@ The full list of `bugs fixed in the CCSDK  Istanbul release <https://jira.onap.o
 
 The full list of `known issues in CCSDK <https://jira.onap.org/issues/?filter=11341>`_ is maintained on the `ONAP Jira`_.
 
+It should be noted that several CCSDK repositories have a transitive dependency on log4j version 1.x.  While this version
+is not vulnerable to the recent 'log4shell' vulnerability, there are other known vulnerabilities in this
+version.  The following table summarizes where log4j 1.x is currently used in CCSDK:
+
++----------------+-----------------------------------------------------------------------------------+
+| Repository     | Transitive dependencies                                                           |
++================+===================================================================================+
+| ccsdk/apps     | org.onap.aaf.authz:aaf-misc-env:2.1.21 -> log4j:log4j:1.2.17                      |
++----------------+-----------------------------------------------------------------------------------+
+| ccsdk/cds      | org.hibernate:hibernate-testing:jar:5.4.32.Final -> log4j:log4j:1.2.17            |
++----------------+-----------------------------------------------------------------------------------+
+|                | org.onap.dmaap.messagerouter.dmaapclient:dmaapClient:1.1.5 -> log4j:log4j:1.2.17  |
++----------------+-----------------------------------------------------------------------------------+
+| ccsdk/features | org.onap.aaf.authz:aaf-misc-env:2.1.21 -> log4j:log4j:1.2.17                      |
++----------------+-----------------------------------------------------------------------------------+
+|                | org.onap.dmaap.messagerouter.dmaapclient:dmaapClient:1.1.12 -> log4j:log4j:1.2.17 |
++----------------+-----------------------------------------------------------------------------------+
+| ccsdk/sli      | org.onap.dmaap.messagerouter.dmaapclient:dmaapClient:1.1.12 -> log4j:log4j:1.2.17 |                                                                                |
++----------------+-----------------------------------------------------------------------------------+
+
+
+
 Deliverables
 ------------