Disable vulnerable log4j dependency and add note.

free2create · Sep 8, 2022 · ad83979 · ad83979
1 parent 5292f33
commit ad83979
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/native-image-workshop/README.md b/native-image-workshop/README.md
@@ -197,14 +197,14 @@ $ mvn clean package -Pnative
 So far, so good. But say we now we want to add a library, or some code, to our project that
 relies on reflection. A good candidate for testing this out would be to add `log4j`. Let's do that.
 
-We've already added it as a dependency in the `pom.xml` file, and it can be seen in the depencies:
+We've already added it as a dependency in the `pom.xml` file, and it can be found in the dependencies. Please uncomment it:
 
 ```xml
-<dependency>
+<!-- <dependency>
  <groupId>log4j</groupId>
  <artifactId>log4j</artifactId>
  <version>1.2.17</version>
-</dependency>
+</dependency> -->
 ```
 
 To add `log4j` all we need to do is to open up the `ListDir.java` file and uncomment some things in order to start using it. Go through and uncomment the various lines that add the imports and the logging code. Uncomment the following lines:

diff --git a/native-image-workshop/pom.xml b/native-image-workshop/pom.xml
@@ -26,11 +26,12 @@
  <version>${graalvm.version}</version>
  <scope>provided</scope>
  </dependency>
- <dependency>
+ <!-- Warning: the below log4j dependency is insecure and must not be used in production -->
+ <!-- <dependency>
  <groupId>log4j</groupId>
  <artifactId>log4j</artifactId>
  <version>1.1.3</version>
- </dependency>
+ </dependency> -->
  </dependencies>
 
  <profiles>