This AndroidProjectCreator updates the Log4J dependency, which is used by the org.eclipse.jgit dependency, to version 2.16.0. This update is required because CVE-2021-45046 affects 2.15.0. The previous update to version 2.15.0 addressed CVE-2021-44228.
AndroidProjectCreator does not use Log4J internally, as it simply writes log messages to the standard output using System.out. The above-mentioned Git dependency gives a user the option to use Log4J if so desired. The excerpt below, which can be found here on Github, shows how the Git related logging in AndroidProjectCreator is implemented.
Git.cloneRepository() .setProgressMonitor(new TextProgressMonitor(new PrintWriter(System.out))) .setURI(url) .setDirectory(directory) .setBranchesToClone(singleton(branch)) .setBranch(branch) .call();
The second line sets the progress monitor, based on standard Java classes and the default system output. With this update, even in the case where the Git dependency does unexpectedly log something using Log4J, there should be no security risk.
The program’s source code can be found here, along with the latest release. Updating is as easy as replacing the JAR by the latest release, or by building the latest source and using your self-built JAR as the replacement.
Feedback and suggestions can be shared via any of the contact methods that are listed below, or by creating an issue on GitHub. When picking the latter, please do use the given issue template.