What's New > Version 2021.12.02

Diffblue Unaffected by Log4j Vulnerability

Release date: Dec 17, 2021

Diffblue Unaffected by Log4j Vulnerability

Last week a new zero-day vulnerability in the widely-used Java component Log4j was reported which allows remote code execution. Diffblue Cover does not use the Log4j component and so is not affected by this vulnerability.

Diffblue Cover runs your Java code to write tests, but it does so within a security sandbox that blocks network traffic. For more information on this, please see our recent blog post.

Diffblue’s recommendations for Logback

A new Java logging library vulnerability was reported and fixed this week, in a component called Logback. This vulnerability is similar to the one in Log4j described above, but less severe because it is much harder to exploit.

Although Diffblue Cover is unaffected, we have upgraded to Logback 1.2.8 anyway. We recommend you also upgrade to Logback 1.2.8, and install the updated versions of both Cover and Cover Reports, shipped on Friday 17 December 2021. For more details, please see our blog post.

Last release for 2021

This is our last release for 2021, and we would like to wish you all a very happy and healthy New Year 2022. We will have our next release in January 2022.

New Developer Edition trial available

We are delighted to now offer a 14-day trial version of our Developer Edition, which includes the Diffblue Cover CLI, as part of our new licensing option. We’re really excited that you can now “try before you buy”! To download your trial of Diffblue Cover Developer Edition, please click here. Full information on all our options is also available here.

How do I automatically maintain all of these tests?

Use Diffblue Cover on any CI platform to automatically update your unit tests and catch regressions for every commit - watch this video to learn more.

Full Release Notes


  • Cover is now able to use specific factory methods via the custom inputs feature. Documentation for this feature can be found here. [Ref: TG-15437]

  • CLI: Cover’s release zip files now include both dcover (for macOS and Linux) and dcover.bat (for Windows) launch scripts. Platform specific zip files are no longer distributed. [Ref: TG-16034]

  • Cover now writes incomplete tests, which previously would have been discarded because of R026 (Spring context failure), if Allow writing tests that fail due to exceptions is enabled in the plugin. [Ref: TG-15792]

  • Cover now only shows the ‘Write Tests’ context menu option in the project explorer pane, when the selection contains methods to test. [Ref: TG-15393]

  • Cover’s Logback dependency has been updated to 1.2.8. [Ref: TG-16165]

  • Reports: Updated Logback dependency to 1.2.8 and Log4j transitive dependency to 2.16.0. [Ref: TG-16181]

Resolved Issues

  • CLI: Resolved an issue which caused Cover’s --patch-only mode to not detect changes in enums. [Ref: TG-16030]

  • Resolved an issue which, in some circumstances, would cause R024 (Out of resources) to be reported as the reason for not creating a test rather than R005 (Unable to load class). [Ref: TG-15840]

  • Reports: Resolved an issue which could cause errors seen during an upload to persist across subsequent upload attempts. [Ref: TG-16014]

Known Issues

  • The command dcover clean --failing does not work on Gradle projects. [Ref: TG-11707]

  • IntelliJ Plugin: Diffblue Cover was unable to create an index error may appear if switching projects happens before Cover has finished indexing. [Ref: TG-13772]