Visual Lint and log4j (TL;DR: we don't use it)
Thursday 16th December, 2021
A good question from a customer given a bunch of headlines about security holes in the log4j logging library:
Triggered by the recent log4j vulnerability our organisation is asking all our software vendors if their software is affected by it - and if so by when a patch will be provided. May I ask for your confirmation that Visual Lint is not affected by this exploit?
I suppose that Visual Lint is Java free and thus has no problem with it. Thanks a lot for your answer!
Hopefully our answer will prove reassuring:
Visual Lint is written almost entirely in native C++ (more specifically, it's written in C++ 14). There is only one Java project in the entire codebase - the project which implements the Eclipse plugin (to our knowledge, Eclipse plugins can only be implemented in Java).
However, that project is just a thin Java wrapper around a native DLL - and it doesn't use log4j at all.
So, you're correct. Visual Lint (and indeed all our products and infrastructure) are 100% log4j free.
So your organisation can rest easy in this case.