jrs-rest-java-client has log4j 1.2.17 in its pom.xml.
https://github.com/Jaspersoft/jrs-rest-java-client/blob/master/pom.xml
That version when End-of-Life in 2015, and it has CVE's that Apache isn't going to fix.
With all the press about the Log4Shell vulnerability at the end of 2021, our security people are trying to get rid of all the old log4j jars on our systems.
We would be very happy if jrs-rest-java-client upgraded to the latest 2.17.1
I know log4j 1.2.17 isn't vulnerable to that particular CVE, but there are others...and it is more than 6 years since Apache abandoned it.
https://logging.apache.org/log4j/1.2/
https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
Components | JasperReports Server, RestAPI |