Hey guys
Let’s be courteous and civil.
As part of vulnerability management, an assessment has to be made about the
potential security impact of a vulnerability in software.
New vulnerabilities are found every day on older components and it is not
practical nor feasible to chase down every rabbi
Where I work we decided to address log4j vulnerabilities only for components
directly used by the application and actually performing logging.
We ignored transitive dependencies and maven plug-ins.
I’m curious about this use case from Venu though, what application would rely
on the maven dependen
