You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Ralph Goers (Jira)" <ji...@apache.org> on 2020/12/30 15:53:00 UTC
[jira] [Comment Edited] (LOG4J2-2987) Snyk reports vulnerability
for log4j-to-slf4j caused by junit transitive depedency
[ https://issues.apache.org/jira/browse/LOG4J2-2987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17256570#comment-17256570 ]
Ralph Goers edited comment on LOG4J2-2987 at 12/30/20, 3:52 PM:
----------------------------------------------------------------
[~Hakky54] You are looking at the wrong branch. The master branch has never been released. You should be looking at the release-2.x branch.I would suggest you check your application and see if junit is actually being brought in. Unless you have included it it should not be there.
[~mattsicker] "Someone" added junit-vintage-engine, etc to log4j-api without adding <scope>test</scope>. The scope is inherited from the parent pom.xml. As shown below, mvn dependency:tree recognizes this as a test dependency and, in fact, log4j-api has no required dependencies. Apparently the Snyk tool does not handle inheritance properly. So this is a false positive.
{code:java}
[INFO] ------------------------------------------------------------------------
[INFO] Building Apache Log4j API 2.14.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:3.0.2:tree (default-cli) @ log4j-api ---
[INFO] org.apache.logging.log4j:log4j-api:jar:2.14.1-SNAPSHOT
[INFO] +- org.apache.logging.log4j:log4j-api-java9:zip:2.14.1-SNAPSHOT:provided
[INFO] +- org.apache.felix:org.apache.felix.framework:jar:5.6.12:test
[INFO] +- org.osgi:org.osgi.core:jar:4.3.1:provided
[INFO] +- org.junit.vintage:junit-vintage-engine:jar:5.7.0:test
[INFO] | +- org.apiguardian:apiguardian-api:jar:1.1.0:test
[INFO] | +- org.junit.platform:junit-platform-engine:jar:1.7.0:test
[INFO] | | +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] | | \- org.junit.platform:junit-platform-commons:jar:1.7.0:test
[INFO] | \- junit:junit:jar:4.13.1:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.junit.jupiter:junit-jupiter-migrationsupport:jar:5.7.0:test
[INFO] | \- org.junit.jupiter:junit-jupiter-api:jar:5.7.0:test
[INFO] +- org.junit.jupiter:junit-jupiter-params:jar:5.7.0:test
[INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.7.0:test
[INFO] +- org.assertj:assertj-core:jar:3.18.1:test
[INFO] +- org.eclipse.tycho:org.eclipse.osgi:jar:3.13.0.v20180226-1711:test
[INFO] +- org.apache.maven:maven-core:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-model:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-settings:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-settings-builder:jar:3.6.3:test
[INFO] | | +- org.codehaus.plexus:plexus-interpolation:jar:1.25:test
[INFO] | | \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:test
[INFO] | | \- org.sonatype.plexus:plexus-cipher:jar:1.4:test
[INFO] | +- org.apache.maven:maven-builder-support:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-repository-metadata:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-artifact:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-plugin-api:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-model-builder:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-resolver-provider:jar:3.6.3:test
[INFO] | | \- org.slf4j:slf4j-api:jar:1.7.25:test
[INFO] | +- org.apache.maven.resolver:maven-resolver-impl:jar:1.4.1:test
[INFO] | +- org.apache.maven.resolver:maven-resolver-api:jar:1.4.1:test
[INFO] | +- org.apache.maven.resolver:maven-resolver-spi:jar:1.4.1:test
[INFO] | +- org.apache.maven.resolver:maven-resolver-util:jar:1.4.1:test
[INFO] | +- org.apache.maven.shared:maven-shared-utils:jar:3.2.1:test
[INFO] | | \- commons-io:commons-io:jar:2.8.0:test
[INFO] | +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.4:test
[INFO] | | \- javax.enterprise:cdi-api:jar:1.0:test
[INFO] | | \- javax.annotation:jsr250-api:jar:1.0:test
[INFO] | +- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.4:test
[INFO] | +- com.google.inject:guice:jar:no_aop:4.2.1:test
[INFO] | | +- aopalliance:aopalliance:jar:1.0:test
[INFO] | | \- com.google.guava:guava:jar:25.1-android:test
[INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.2:test
[INFO] | | +- org.checkerframework:checker-compat-qual:jar:2.0.0:test
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:test
[INFO] | | +- com.google.j2objc:j2objc-annotations:jar:1.1:test
[INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:test
[INFO] | +- javax.inject:javax.inject:jar:1:test
[INFO] | +- org.codehaus.plexus:plexus-utils:jar:3.3.0:test
[INFO] | +- org.codehaus.plexus:plexus-classworlds:jar:2.6.0:test
[INFO] | \- org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:test
[INFO] +- org.apache.commons:commons-lang3:jar:3.11:test
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.11.3:test
[INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.11.3:test
[INFO] \- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.3:test (optional)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
{code}
was (Author: ralph.goers@dslextreme.com):
[~Hakky54] You are looking at the wrong branch. The master branch has never been released. You should be looking at the release-2.x branch.
[~mattsicker] "Someone" added junit-vintage-engine, etc to log4j-api without adding <scope>test</scope>. The scope is inherited from the parent pom.xml. As shown below, mvn dependency:tree recognizes this as a test dependency and, in fact, log4j-api has no required dependencies. Apparently the Snyk tool does not handle inheritance properly. So this is a false positive.
{code:java}
[INFO] ------------------------------------------------------------------------
[INFO] Building Apache Log4j API 2.14.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:3.0.2:tree (default-cli) @ log4j-api ---
[INFO] org.apache.logging.log4j:log4j-api:jar:2.14.1-SNAPSHOT
[INFO] +- org.apache.logging.log4j:log4j-api-java9:zip:2.14.1-SNAPSHOT:provided
[INFO] +- org.apache.felix:org.apache.felix.framework:jar:5.6.12:test
[INFO] +- org.osgi:org.osgi.core:jar:4.3.1:provided
[INFO] +- org.junit.vintage:junit-vintage-engine:jar:5.7.0:test
[INFO] | +- org.apiguardian:apiguardian-api:jar:1.1.0:test
[INFO] | +- org.junit.platform:junit-platform-engine:jar:1.7.0:test
[INFO] | | +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] | | \- org.junit.platform:junit-platform-commons:jar:1.7.0:test
[INFO] | \- junit:junit:jar:4.13.1:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.junit.jupiter:junit-jupiter-migrationsupport:jar:5.7.0:test
[INFO] | \- org.junit.jupiter:junit-jupiter-api:jar:5.7.0:test
[INFO] +- org.junit.jupiter:junit-jupiter-params:jar:5.7.0:test
[INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.7.0:test
[INFO] +- org.assertj:assertj-core:jar:3.18.1:test
[INFO] +- org.eclipse.tycho:org.eclipse.osgi:jar:3.13.0.v20180226-1711:test
[INFO] +- org.apache.maven:maven-core:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-model:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-settings:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-settings-builder:jar:3.6.3:test
[INFO] | | +- org.codehaus.plexus:plexus-interpolation:jar:1.25:test
[INFO] | | \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:test
[INFO] | | \- org.sonatype.plexus:plexus-cipher:jar:1.4:test
[INFO] | +- org.apache.maven:maven-builder-support:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-repository-metadata:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-artifact:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-plugin-api:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-model-builder:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-resolver-provider:jar:3.6.3:test
[INFO] | | \- org.slf4j:slf4j-api:jar:1.7.25:test
[INFO] | +- org.apache.maven.resolver:maven-resolver-impl:jar:1.4.1:test
[INFO] | +- org.apache.maven.resolver:maven-resolver-api:jar:1.4.1:test
[INFO] | +- org.apache.maven.resolver:maven-resolver-spi:jar:1.4.1:test
[INFO] | +- org.apache.maven.resolver:maven-resolver-util:jar:1.4.1:test
[INFO] | +- org.apache.maven.shared:maven-shared-utils:jar:3.2.1:test
[INFO] | | \- commons-io:commons-io:jar:2.8.0:test
[INFO] | +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.4:test
[INFO] | | \- javax.enterprise:cdi-api:jar:1.0:test
[INFO] | | \- javax.annotation:jsr250-api:jar:1.0:test
[INFO] | +- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.4:test
[INFO] | +- com.google.inject:guice:jar:no_aop:4.2.1:test
[INFO] | | +- aopalliance:aopalliance:jar:1.0:test
[INFO] | | \- com.google.guava:guava:jar:25.1-android:test
[INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.2:test
[INFO] | | +- org.checkerframework:checker-compat-qual:jar:2.0.0:test
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:test
[INFO] | | +- com.google.j2objc:j2objc-annotations:jar:1.1:test
[INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:test
[INFO] | +- javax.inject:javax.inject:jar:1:test
[INFO] | +- org.codehaus.plexus:plexus-utils:jar:3.3.0:test
[INFO] | +- org.codehaus.plexus:plexus-classworlds:jar:2.6.0:test
[INFO] | \- org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:test
[INFO] +- org.apache.commons:commons-lang3:jar:3.11:test
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.11.3:test
[INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.11.3:test
[INFO] \- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.3:test (optional)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
{code}
> Snyk reports vulnerability for log4j-to-slf4j caused by junit transitive depedency
> ----------------------------------------------------------------------------------
>
> Key: LOG4J2-2987
> URL: https://issues.apache.org/jira/browse/LOG4J2-2987
> Project: Log4j 2
> Issue Type: Improvement
> Components: SLF4J Bridge
> Affects Versions: 2.14.0
> Reporter: Hakan Altindag
> Priority: Minor
> Attachments: image-2020-12-30-11-44-03-287.png
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> I am using log4j-to-slf4j bridge for my own library. During the regular vulnerability scan it reported that it has a vulnerability caused by a transitive dependency from log4j-api which has a compile scoped dependency of org.junit.jupiter:junit-jupiter-migrationsupport.
> See here for a screenshot:
> !image-2020-12-30-11-44-03-287.png!
> See here for the report: [https://app.snyk.io/org/hakky54/project/667055da-a0a4-461f-a169-e88bd2f94ce1]
>
> This issue can fixed when adding the test scope to the dependency in the following file: https://github.com/apache/logging-log4j2/blob/master/log4j-api/pom.xml
> I am not familiar with the code base, so I was not sure if someone did not put a test scope on purpose... But looking at the other dependencies the following could also by marked as test scope: junit-vintage-engine, junit-jupiter-migrationsupport, junit-jupiter-params, junit-jupiter-engine, assertj-core
--
This message was sent by Atlassian Jira
(v8.3.4#803005)