Morning
We have a ping on Wiz that Keycloak uses log4j, we have a corporate policy to not allow log4j in the environment at all even v2 … I saw that that in v26 Log4j is being removed…
Can anyone direct me to documentation about why log4j libraries are in the codebase but apparently not used?
Phin
Best to ask in the Keycloak discussions, as this is a community help forum.
AFAIK, log4j libraries are dependencies of several testing and other utilities used in the build process, but the Keycloak distribution does not include them.
I can second what @xgp wrote.
Log4j libs are only used in tests, not in the distribution.
Blindly looking on some scanning reports is not enough.
Yeah, I know not to go off these pings but Corporate CISO offices don’t really do ‘thought’ not when there is a very nice tool that does the knowing for them.
Found the culprit in Keycloakify as part of the theme build. ‘rm -rf .cache’ works a treat as part of our deployment process.
Phin