Upgrade flogger to 0.7.4 which upgraded log4j2 due to CVE-2021-44228
Flogger contains a log4j2 backend which has a dependency on log4j2. In
Flogger 0.7.3 the log4j2 backend depends on a log4j2 version (2.16) that
is still partly vulnerable due to CVE-2021-44228. With Flogger 0.7.4
that dependency was upgraded to log4j 2.17 where further fixes for the
vulnerability were done [1].
Gerrit does neither use the log4j2 backend nor has a dependency on it.
Gerrit also doesn't use log4j2. So this upgrade doesn't fix anything in
Gerrit. Doing the upgrade is rather a precaution in case Gerrit ever
upgrades to log4j2, because then it can be easily missed that flogger
needs to be upgraded too. Since the flogger upgrade is no work, let's
just do it now.
[1] https://github.com/google/flogger/releases/tag/flogger-0.7.4
Signed-off-by: Edwin Kempin <ekempin@google.com>
Change-Id: I16a5253352a4dc09ada034cfcf8f19bdbc4d6293
diff --git a/tools/nongoogle.bzl b/tools/nongoogle.bzl
index 0cb3870..3b1a98e 100644
--- a/tools/nongoogle.bzl
+++ b/tools/nongoogle.bzl
@@ -123,12 +123,12 @@
# Google internal dependencies: these are developed at Google, so there is
# no concern about version skew.
- FLOGGER_VERS = "0.7.3"
+ FLOGGER_VERS = "0.7.4"
maven_jar(
name = "flogger",
artifact = "com.google.flogger:flogger:" + FLOGGER_VERS,
- sha1 = "d08bf8276d2bbb1435951e88b3f067092285b9fb",
+ sha1 = "cec29ed8b58413c2e935d86b12d6b696dc285419",
)
maven_jar(
