{
  "repository": "https://github.com/apache/logging-log4j2",
  "commit_source": "release_tag_resolution",
  "commit_sha": "dd0f9d255e24e6bcc13bd2641407a409c0524803",
  "submitted_target": {
    "target_kind": "maven_artifact",
    "commit_sha": "0628e53b25a33e496b509c40a39f2d7c64f2aa6c",
    "version": "2.25.4",
    "ref": "rel/2.25.4",
    "display": "log4j-api 2.25.4 (rel/2.25.4) — vulnerable parent target"
  },
  "variant_target": {
    "target_kind": "maven_artifact",
    "commit_sha": "dd0f9d255e24e6bcc13bd2641407a409c0524803",
    "version": "2.26.1",
    "ref": "rel/2.26.1",
    "display": "log4j-api 2.26.1 (rel/2.26.1) — highest tested fixed version (bypass test target)"
  },
  "tested_targets": [
    {
      "version": "2.25.4",
      "ref": "rel/2.25.4",
      "commit_sha": "0628e53b25a33e496b509c40a39f2d7c64f2aa6c",
      "role": "vulnerable_parent",
      "fix_present": false,
      "result": {"status": "VULNERABLE", "bare": 17, "quoted": 1, "parseFail": 17}
    },
    {
      "version": "2.25.5",
      "ref": "rel/2.25.5",
      "commit_sha": "2e1d9c6284af1da1dec189f4b5b98ac0f32a7645",
      "role": "fixed_2.25.x",
      "fix_present": true,
      "result": {"status": "FIXED", "bare": 0, "quoted": 18, "parseFail": 0}
    },
    {
      "version": "2.26.0",
      "ref": "rel/2.26.0",
      "commit_sha": "c1ad2a66cc90e643ec319b9e131764c9710bebc5",
      "role": "vulnerable_2.26.x",
      "fix_present": false,
      "result": {"status": "VULNERABLE", "bare": 17, "quoted": 1, "parseFail": 17}
    },
    {
      "version": "2.26.1",
      "ref": "rel/2.26.1",
      "commit_sha": "dd0f9d255e24e6bcc13bd2641407a409c0524803",
      "role": "fixed_2.26.x_highest_tested",
      "fix_present": true,
      "result": {"status": "FIXED", "bare": 0, "quoted": 18, "parseFail": 0}
    },
    {
      "version": "2.x-SNAPSHOT",
      "ref": "2.x",
      "commit_sha": "b6ba7d0af60783e98fbe52aee4f9ea3e70deed25",
      "role": "latest_2.x_head_source_inspection",
      "fix_present": true,
      "result": "fix_present_via_source_inspection_only"
    }
  ],
  "notes": "Official Apache log4j-api jars from Maven Central (built from the listed release tags) were tested at runtime for versions 2.25.4/2.25.5/2.26.0/2.26.1. The fix (formatDouble/formatFloat isFinite gating) was verified present via javap for the fixed jars and absent for the vulnerable jars. The latest 2.x HEAD (b6ba7d0a) was inspected read-only in the repo mirror and confirmed to contain the fix. No bypass was confirmed; source_identity is recorded for completeness and to document the exact tested fixed refs."
}
