Skip to content

Dependencies on older log4j version #194

New issue
New issue
Open
Open
Dependencies on older log4j version#194
@triggan

Description

@triggan
triggan
opened on Jan 5, 2026

Moving this issue here from the older neptune tools repo: awslabs/amazon-neptune-tools#265

This project still has log4j in it.
It contains version 1.2.17 which comes thru with the use of commons-logging (neptune-export.jar/META-INF/maven/commons-logging/commons-logging/pom.xml)
It also contains version 1.2.8 which comes thru with the use of commons-configuration (neptune-export.jar/META-INF/maven/commons-configuration/commons-configuration/pom.xml)
Why is log4j 1.2.8/17 bad? while it's not log4shell, it still is a component that is just about 7 years out of support and not maintained.

A Sonatype scan has proven to show that it has dependencies that have log4j in it. However, the resulted release may not have it included, it would be nice to see all the dependencies updated to get rid of any older unsupported open source items.

Looking at the latest neptune-export build, here's additional info on the deep dependencies on the older log4j version from both commons-logging and commons-configuration.

➜  neptune-export git:(develop) ✗ mvn dependency:tree | grep -A5 -B5 commons-logging
...
[INFO] +- com.amazonaws:amazon-neptune-sigv4-signer:jar:3.0.1:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.14:compile
[INFO] |  |  \- commons-logging:commons-logging:jar:1.2:compile
...

and

➜  neptune-export git:(develop) ✗ mvn dependency:tree | grep -A5 -B10 commons-configuration
...
[INFO] +- org.apache.tinkerpop:gremlin-driver:jar:3.7.3:compile
[INFO] |  +- org.apache.tinkerpop:gremlin-core:jar:3.7.3:compile
[INFO] |  |  +- org.apache.tinkerpop:gremlin-shaded:jar:3.7.3:compile
[INFO] |  |  +- org.apache.tinkerpop:gremlin-language:jar:3.7.3:compile
[INFO] |  |  |  +- org.antlr:antlr4-runtime:jar:4.9.1:compile
[INFO] |  |  |  +- org.javatuples:javatuples:jar:1.2:compile
[INFO] |  |  |  \- org.apache.commons:commons-text:jar:1.10.0:compile
[INFO] |  |  +- org.apache.commons:commons-configuration2:jar:2.9.0:compile
...

Latest versions of both of these libraries now use log4j 2.25.3. We'll need to investigate how to address these in the downstream libraries.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions