Hi Shiplu, On Thu, 19 Oct 2023 at 15:09, Shiplu Kundu <sk4m1...@gmail.com> wrote: > For my current project I was using* log4j-audit-api* to print the audit log > of my application . > But the latest version for this plugin 1.0.1 and last release was on 2018 > June, and also it is showing around 75 vulnerabilities. > I searched over the internet but didn't receive any latest library info for > the same dependency.
We have been discussing the fate of Log4j Audit for the past month. There are multiple threads about it: https://lists.apache.org/thread/gy8j0tgjk6d5njvpm7gy58d2lvwj5s0c https://lists.apache.org/thread/5x3g3ko0bb3x19d36oyx1b5tvkb7zq0x https://lists.apache.org/thread/xgd8oxcogdn7t80hccwyzbtz6kvzpt0y I believe that your e-mail on this matter represents a turning point in the discussion: we were not sure if Log4j Audit had some user base. Now that we know it does, we'll try to divert some effort to this project. Our resources are limited, so we would be grateful for all the help we can get (issue reports, PRs). Event if Log4j Audit dependencies **have** multiple CVEs, I don't believe they constitute a problem for users, which can always overwrite the proposed dependency versions. Anyway we'll try to update them ourselves and publish a release. Piotr
