Hi Shiplu,

On Thu, 19 Oct 2023 at 15:09, Shiplu Kundu <sk4m1...@gmail.com> wrote:
> For my current project I was using* log4j-audit-api* to print the audit log
> of my application .
> But the latest version for this plugin 1.0.1 and last release was on 2018
> June, and also it is showing around 75 vulnerabilities.
> I searched over the internet but didn't receive any latest library info for
> the same dependency.

We have been discussing the fate of Log4j Audit for the past month.
There are multiple threads about it:

https://lists.apache.org/thread/gy8j0tgjk6d5njvpm7gy58d2lvwj5s0c
https://lists.apache.org/thread/5x3g3ko0bb3x19d36oyx1b5tvkb7zq0x
https://lists.apache.org/thread/xgd8oxcogdn7t80hccwyzbtz6kvzpt0y

I believe that your e-mail on this matter represents a turning point
in the discussion: we were not sure if Log4j Audit had some user base.
Now that we know it does, we'll try to divert some effort to this project.

Our resources are limited, so we would be grateful for all the help we
can get (issue reports, PRs). Event if Log4j Audit dependencies
**have** multiple CVEs, I don't believe they constitute a problem for
users, which can always overwrite the proposed dependency versions.
Anyway we'll try to update them ourselves and publish a release.

Piotr

Reply via email to