Bug #18424
closed
Is Ruby is vulnerable to log4j?
Description
I observed that the ruby uses zookeeper, dep "slyphon-log4j", "= 1.2.15".
Is Ruby is vulnerable to log4j?
Updated by mame (Yusuke Endoh) over 2 years ago
- Status changed from Open to Rejected
The Ruby package itself does not depend on log4j. For an application or library written in Ruby, please ask to its maintainer.
Updated by salamani (Ravi Salamani) over 2 years ago
mame (Yusuke Endoh) wrote in #note-1:
The Ruby package itself does not depend on log4j. For an application or library written in Ruby, please ask to its maintainer.
https://github.com/ruby/ruby/blob/master/spec/bundler/resolver/platform_spec.rb#L31 Does it installs log4j?
Updated by austin (Austin Ziegler) over 2 years ago
salamani (Ravi Salamani) wrote in #note-2:
mame (Yusuke Endoh) wrote in #note-1:
The Ruby package itself does not depend on log4j. For an application or library written in Ruby, please ask to its maintainer.
https://github.com/ruby/ruby/blob/master/spec/bundler/resolver/platform_spec.rb#L31 Does it installs log4j?
This is a Ruby spec that verifies bundler. This particular path would only be run by JRuby and possibly TruffleRuby, as CRuby is not written with Java.
Updated by deivid (David RodrÃguez) over 2 years ago
Yes, that's correct. The naming in these test cases is inspired by realworld packages, but these are just dummy packages just for the sake of testing, not the real library code. You can replace log4j with very-secure-library in those tests and they should still pass.