-
Notifications
You must be signed in to change notification settings - Fork 716
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is a vulnerable picard still used ? log4j vulnerability. #734
Comments
Great timing @colindaven as I am prepping a release! Thanks for reporting. |
Looks like a version based on 2.16 might be a better option, with the lookups completely removed. Broad picard is on 2.15. https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4 Might pay to wait a bit? |
Best to merge to 2.15.x-based releases as soon as possible and update to 2.16 when it is ready. Things take a while to make their way through bioconda/biocontainers etc. |
Other tools in this pipeline possibly affected by this:
If you spot any more tools on |
While greatly preferable to have an official statement from the BBMap and Qualimap developer teams, my analysis shows that BBMap |
Picard was bumped to the latest currently available again ( |
Dear devs,
using this software on an older, conda based installation of nf-core rna-seq, a vulnerable picard.jar was found.
https://github.com/mergebase/log4j-detector
Do you know when it will be possible to replace the used
picard.jar
with a patched version ?There is already a patched release on
https://github.com/broadinstitute/picard/releases/tag/2.26.7
Thanks
The text was updated successfully, but these errors were encountered: