Adjust log binding requirements due to CVEs from logback (spotbugs#2760)

* [build] Prefer newer log4j and logback * [ci] Fix up change log and add entries around logging CVEs and Suggested usage * [ci] Add PR to change log
gleclaire · Dec 9, 2023 · 10422e8 · 10422e8
1 parent e720004
commit 10422e8
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,13 +10,13 @@ Currently the versioning policy of this project follows [Semantic Versioning v2.
 ### Fixed
 - Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits for checked exceptions ([#2710](https://github.com/spotbugs/spotbugs/issues/2710))
 - Applied changes for bcel 6.8.0 with adjustments to constant pool ([#2756](https://github.com/spotbugs/spotbugs/pull/2756))
-    - More information bcel changes can be found on ([#2757(https://github.com/spotbugs/spotbugs/pull/2757))
+    - More information bcel changes can be found on ([#2757](https://github.com/spotbugs/spotbugs/pull/2757))
 
 ### Changed
 - Improved Matcher checks for empty strings ([#2755](https://github.com/spotbugs/spotbugs/pull/2755))
-
-### Changed
 - Allow 'onlyAnalyze' option to specify negative matches, such that this facility can be used to prevent a subset of classes to be excluded from analysis ([#2754](https://github.com/spotbugs/spotbugs/pull/2754))
+- Strictly require logback 1.2.13 due to CVE-2023-6481 and CVE-23-6378 ([#2760](https://github.com/spotbugs/spotbugs/pull/2760)
+- Prefer log4j2 at 2.22.0 and logback at 1.4.14 ([#2760](https://github.com/spotbugs/spotbugs/pull/2760)
 
 ## 4.8.2 - 2023-11-28
 

diff --git a/spotbugs/build.gradle b/spotbugs/build.gradle
@@ -358,16 +358,16 @@ dependencies {
     logBinding("org.apache.logging.log4j:log4j-core") {
       version {
         strictly("[2.17.1, 3[")
-        prefer("2.20.0")
+        prefer("2.22.0")
       }
       because("CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832: Log4j vulnerable to remote code execution and other critical security vulnerabilities")
     }
     logBinding("ch.qos.logback:logback-core") {
       version {
-        strictly("[1.2.9, 2[")
-        prefer("1.4.11")
+        strictly("[1.2.13, 2[")
+        prefer("1.4.14")
       }
-      because("CVE-2021-42550: Logback vulnerable to remote code execution vulnerabilities")
+      because("CVE-2021-42550: Logback vulnerable to remote code execution vulnerabilities and CVE-2023-6481, CVE-2023-6378: allows an attacker to mount a Denial-Of-Service attack by sending poisoned data")
     }
   }
 }