Skip to content

A Renovate preset for remediating transitive vulnerabilities of log4j

License

Notifications You must be signed in to change notification settings

whitesource/log4j-remediations

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 

Repository files navigation

log4j-remediations

This repository contains a Renovate preset which includes rules for remediating hundreds of packages which are downstream dependents of log4j.

The Transitive log4j problem

Many Java projects use log4j, but not directly or only directly. It is often the case that multiple open source packages within a project include log4j as a dependency, so to remediate vulnerable versions of log4j means to update each dependency to a version which no longer depends on vulnerable log4j.

What this preset includes

This preset contains rules for how to update hundreds of packages dependent on log4j to the first version of the package which no longer uses a critically vulnerable version of log4j. Where [email protected] is supported then it is recommended, but otherwise the highest of 2.15.0 and 2.16.0 is selected.

How to use it

To use this preset, add it to your Renovate or WhiteSource Remediate extends field.

For example in Renovate with a renovate.json config file this may look like:

{
  "extends": ["github>whitesource/log4j-remediations"]
}

If using WhiteSource Remediate and a .whitesource config file, this will look like:

{
  ...
  "remediateSettings": {
    "extends": ["github>whitesource/log4j-remediations"]
  }
}

Future updates

This preset will be updated as WhiteSource finds more packages which have remediated their log4j dependency.

About

A Renovate preset for remediating transitive vulnerabilities of log4j

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published