log4j

[spyhunter99]

Hi i was attempting to publish a library that uses this library as a dependency. oss.sonatype.org send me a "lift" report that flagged this library as having a few security related issues. It looks like it's related to log4j 1.x.

Seeing this in the root pom

yes we know this is an issue but it is here for backwards compatibility

As a user of the library, can we exclude the log4j dependency and have the library still be functional?
Alternatively, is there a plan to use some other logging library or a newer version?

[j256]

Sorry for the delay @spyhunter99 . The log4j dependencies should be marked as optional so it won't be used unless you provide it. Is that not what you are seeing?

[spyhunter99]

looks like that was cleared up. It's also complaining about this one

	CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](https://ossindex.sonatype.org/vulnerability/a9c81f11-d02c-4b45-b55f-0eedd1786272?component-type=maven&component-name=com.j256.ormlite.ormlite-android&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0)