BFO does not include or depend on Log4J
This post relates to the Log4Shell security vulnerablity in the Log4J logging package.
BFO products do not ship with Log4J. We will use it if configured and in the classpath for logging, but we do not depend on it in any way and it's up to you to include and configure it in your own deployment.
More generally, the BFO PDF Library, Graph Library and Report Generator will never have a dependency on any third party software. In general, code written for these APIs 20 years ago will continue to work today. We can't do that building on code we didn't write.
We include the open-source JPEG2000 package as bfopdf-jj2000.jar
with
our PDF Library. It's optional, but recommended.
It's built from a version we've
branched and maintain.
We are satisfied it does not create a security risk, or do anything other than
JPEG2000 image compression.
In all other cases where we work with third party libraries, such as Log4J or Apache Lucene, these will always be optional and up to you to install if you need them.
We do not use JNDI, and we never, ever load classes from URLs.