Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update 2.x SDK log4j2 appender to not pull in log4j2 on its own #2002

Merged
merged 5 commits into from
Dec 13, 2021
Merged

Update 2.x SDK log4j2 appender to not pull in log4j2 on its own #2002

merged 5 commits into from
Dec 13, 2021
+10 −5

Conversation

trask
Copy link
Member

@trask trask commented Dec 13, 2021
edited
Loading

The 2.x SDK log4j2 appender is designed for users who are already using log4j2. It should not pull in log4j2 on its own. Users should already be bringing their own version of log4j2 (and should be upgrading that version or applying the mitigation steps from CVE-2021-44228). The PR ensures that users have to bring their own version of log4j2.

@trask
Update log4j2 appender

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
9acaefc
trask added 3 commits December 13, 2021 10:55
@trask
Update lockfiles

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
d6fcd84
@trask
Need to support Java 7

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
94e0789
@trask
Fix unit tests

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
f8c1c1d
@heyams
Copy link
Contributor

heyams commented Dec 13, 2021

can we drop java 7 support for legacy sdk? that's feature change for some customers... and we don't know how many were on java 7.

@heyams
Copy link
Contributor

heyams commented Dec 13, 2021

should we add another statsbeat feature for java version? i think that's more useful than java vendor

@trask trask changed the title Update log4j2 appender Update log4j2 appender to not pull in log4j2 on its own Dec 13, 2021
@trask trask changed the title Update log4j2 appender to not pull in log4j2 on its own Update 2.x SDK log4j2 appender to not pull in log4j2 on its own Dec 13, 2021
@trask
Copy link
Member Author

trask commented Dec 13, 2021

should we add another statsbeat feature for java version? i think that's more useful than java vendor

👍 it's high cardinality if we capture the full version, but maybe just the major versions 8, 11, 17, and "other"

@trask trask merged commit 51a30a9 into legacy-sdk Dec 13, 2021
@trask trask deleted the update-log4j-appender branch December 13, 2021 23:35
This was referenced Dec 14, 2021
Closed
Closed
@trask trask mentioned this pull request Jan 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@heyams heyams

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@trask @heyams