Log4j library update

Hello,

I was wondering if, while building our own Asqatasun, is it possible to update the log4j library and how?
I actually don’t know which version of the library are we using currently, so I don’t know if it’s impacted by the breach. So I’m asking to be sure that Asqatasun will be secure.

Thank you :slight_smile:

Hello @mfaure ,

I also have this topic which I hope you have an answer for, I actually receive some alerts from our security team about the tool concerning log4j. I don’t know if you have thought about a fix(update) of the log4j version because of the breach.

Thank you,
Anass

Hello @oanass

see (in french) : Update dependency log4j (#616) · Issues · asqatasun / Asqatasun · GitLab

question translated with deepl tool

Due to a vulnerability in the log4j dependency ([MaJ] Vulnérabilité dans Apache Log4j – CERT-FR) which is used in the tgol-test-scenario module, we cannot use the Asqatasun tool anymore. Is this module well used by Asqatasun?
Is it planned to update this dependency?

@mfaure response translated with deepl tool

tgol-test-scenario module is not used in the webapp. It was only used to manually launch tests on the application. Moreover, according to our investigation Asqatasun does not seem to be affected by the flaw.

Asqatasun uses logback instead of log4j, except in tgol-test-scenario module (used only to manually run tests on the application).

1 Like