**Context:** With the change: https://github.com/google/ksp/commit/046b5398bbb3dc8439b4f16c5a9f119a03c9ff7c, all of log4j-v1.jar files went into the jar file, including JDBCAppender class flagged by [CVE-2022-23305](https://nvd.nist.gov/vuln/detail/CVE-2022-23305) **Recommendation from CVE:** Users should upgrade to Log4j 2, as it addresses numerous other issues from the previous versions. **Consequence:** This blocks KSP upgrades for all the projects protected by Security Scanner tools (like NexusIQ) cc: @ting-yuan
Context:
With the change: 046b539, all of log4j-v1.jar files went into the jar file, including JDBCAppender class flagged by CVE-2022-23305
Recommendation from CVE: Users should upgrade to Log4j 2, as it addresses numerous other issues from the previous versions.
Consequence: This blocks KSP upgrades for all the projects protected by Security Scanner tools (like NexusIQ)
cc: @ting-yuan