You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by jo...@apache.org on 2021/12/13 18:05:25 UTC
[nifi] 04/04: NIFI-9474 Block log4j-core older than 2.15.0
This is an automated email from the ASF dual-hosted git repository.
joewitt pushed a commit to branch support/nifi-1.15
in repository https://gitbox.apache.org/repos/asf/nifi.git
commit da03510c6de21b225fa9f4e303ede71917e7a1c4
Author: Bryan Bende <bb...@gmail.com>
AuthorDate: Mon Dec 13 09:41:34 2021 -0500
NIFI-9474 Block log4j-core older than 2.15.0
- Add log4j-bom to root Maven configuration
- Remove previous overrides in favor of log4j-bom in root Maven configuration
This closes #5598
Signed-off-by: David Handermann <ex...@apache.org>
---
nifi-nar-bundles/nifi-atlas-bundle/pom.xml | 8 --------
nifi-nar-bundles/nifi-druid-bundle/pom.xml | 8 --------
.../nifi-elasticsearch-5-processors/pom.xml | 3 ---
nifi-nar-bundles/nifi-elasticsearch-bundle/pom.xml | 8 --------
nifi-nar-bundles/nifi-hive-bundle/pom.xml | 8 --------
nifi-nar-bundles/nifi-ranger-bundle/pom.xml | 8 --------
.../nifi-registry-core/nifi-registry-framework/pom.xml | 11 -----------
.../nifi-registry-core/nifi-registry-web-api/pom.xml | 11 -----------
.../nifi-registry-extensions/nifi-registry-ranger/pom.xml | 8 --------
pom.xml | 10 ++++++++++
10 files changed, 10 insertions(+), 73 deletions(-)
diff --git a/nifi-nar-bundles/nifi-atlas-bundle/pom.xml b/nifi-nar-bundles/nifi-atlas-bundle/pom.xml
index f750710..cd2e649 100644
--- a/nifi-nar-bundles/nifi-atlas-bundle/pom.xml
+++ b/nifi-nar-bundles/nifi-atlas-bundle/pom.xml
@@ -96,14 +96,6 @@
<artifactId>netty-transport-native-epoll</artifactId>
<version>${netty.4.version}</version>
</dependency>
- <!-- Override log4j -->
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-bom</artifactId>
- <version>2.15.0</version>
- <scope>import</scope>
- <type>pom</type>
- </dependency>
</dependencies>
</dependencyManagement>
diff --git a/nifi-nar-bundles/nifi-druid-bundle/pom.xml b/nifi-nar-bundles/nifi-druid-bundle/pom.xml
index 2997b2b..0a203a0 100644
--- a/nifi-nar-bundles/nifi-druid-bundle/pom.xml
+++ b/nifi-nar-bundles/nifi-druid-bundle/pom.xml
@@ -76,14 +76,6 @@
<artifactId>snakeyaml</artifactId>
<version>1.29</version>
</dependency>
- <!-- Override log4j 2.5 from druid -->
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-bom</artifactId>
- <version>2.15.0</version>
- <scope>import</scope>
- <type>pom</type>
- </dependency>
<!-- Override zookeeper -->
<dependency>
<groupId>org.apache.zookeeper</groupId>
diff --git a/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml b/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
index 7fe8270..00800fc 100644
--- a/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
@@ -24,7 +24,6 @@ language governing permissions and limitations under the License. -->
<slf4jversion>2.7</slf4jversion>
<es.version>5.0.1</es.version>
<lucene.version>6.2.1</lucene.version>
- <log4j.version>2.15.0</log4j.version>
</properties>
<dependencies>
@@ -81,12 +80,10 @@ language governing permissions and limitations under the License. -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
- <version>${log4j.version}</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
- <version>${log4j.version}</version>
</dependency>
<dependency>
<groupId>org.apache.nifi</groupId>
diff --git a/nifi-nar-bundles/nifi-elasticsearch-bundle/pom.xml b/nifi-nar-bundles/nifi-elasticsearch-bundle/pom.xml
index 447ce3c..46ad243 100644
--- a/nifi-nar-bundles/nifi-elasticsearch-bundle/pom.xml
+++ b/nifi-nar-bundles/nifi-elasticsearch-bundle/pom.xml
@@ -64,14 +64,6 @@ language governing permissions and limitations under the License. -->
<artifactId>commons-compress</artifactId>
<version>1.21</version>
</dependency>
- <!-- Override log4j 2.11.1 -->
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-bom</artifactId>
- <version>2.15.0</version>
- <scope>import</scope>
- <type>pom</type>
- </dependency>
</dependencies>
</dependencyManagement>
diff --git a/nifi-nar-bundles/nifi-hive-bundle/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/pom.xml
index 80db010..7034a4f 100644
--- a/nifi-nar-bundles/nifi-hive-bundle/pom.xml
+++ b/nifi-nar-bundles/nifi-hive-bundle/pom.xml
@@ -96,14 +96,6 @@
<artifactId>derby</artifactId>
<version>10.14.2.0</version>
</dependency>
- <!-- Override log4j 2.10.0 -->
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-bom</artifactId>
- <version>2.15.0</version>
- <scope>import</scope>
- <type>pom</type>
- </dependency>
<!-- Override zookeeper -->
<dependency>
<groupId>org.apache.zookeeper</groupId>
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml
index 66543cf..c56aeed 100644
--- a/nifi-nar-bundles/nifi-ranger-bundle/pom.xml
+++ b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml
@@ -71,14 +71,6 @@
<artifactId>jackson-databind</artifactId>
<version>${jackson.version}</version>
</dependency>
- <!-- Override log4j 2.11.1 -->
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-bom</artifactId>
- <version>2.15.0</version>
- <scope>import</scope>
- <type>pom</type>
- </dependency>
</dependencies>
</dependencyManagement>
</project>
diff --git a/nifi-registry/nifi-registry-core/nifi-registry-framework/pom.xml b/nifi-registry/nifi-registry-core/nifi-registry-framework/pom.xml
index 0f122c9..08bb64e 100644
--- a/nifi-registry/nifi-registry-core/nifi-registry-framework/pom.xml
+++ b/nifi-registry/nifi-registry-core/nifi-registry-framework/pom.xml
@@ -207,17 +207,6 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>${spring.boot.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-to-slf4j</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-to-slf4j</artifactId>
- <version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
diff --git a/nifi-registry/nifi-registry-core/nifi-registry-web-api/pom.xml b/nifi-registry/nifi-registry-core/nifi-registry-web-api/pom.xml
index 91e6330..4f1175c 100644
--- a/nifi-registry/nifi-registry-core/nifi-registry-web-api/pom.xml
+++ b/nifi-registry/nifi-registry-core/nifi-registry-web-api/pom.xml
@@ -320,17 +320,6 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>${spring.boot.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-to-slf4j</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-to-slf4j</artifactId>
- <version>2.15.0</version>
</dependency>
<dependency>
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml
index db7fbe3..a091ffb 100644
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml
+++ b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml
@@ -77,14 +77,6 @@
<artifactId>jetty-webapp</artifactId>
<version>${jetty.version}</version>
</dependency>
- <!-- Override log4j 2.11.1 -->
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-bom</artifactId>
- <version>2.15.0</version>
- <scope>import</scope>
- <type>pom</type>
- </dependency>
<!-- Override zookeeper -->
<dependency>
<groupId>org.apache.zookeeper</groupId>
diff --git a/pom.xml b/pom.xml
index 727fcdb..a470828 100644
--- a/pom.xml
+++ b/pom.xml
@@ -483,6 +483,14 @@
<artifactId>aspectjweaver</artifactId>
<version>${aspectj.version}</version>
</dependency>
+ <!-- Ensure log4j-core 2.15.0 is used by any transitive dependencies to remediate Log4Shell vulnerability -->
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-bom</artifactId>
+ <version>2.15.0</version>
+ <scope>import</scope>
+ <type>pom</type>
+ </dependency>
</dependencies>
</dependencyManagement>
@@ -774,6 +782,8 @@
<exclude>com.google.code.findbugs:jsr305:*:*:compile</exclude>
<!-- Log4J excluded in favor of log4j-over-slf4j and logback -->
<exclude>log4j:log4j:*</exclude>
+ <!-- Ban log4j-core less than 2.15.0 due to Log4Shell vulnerability -->
+ <exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude>
</excludes>
<includes>
<!-- Versions of JSR305 after 3.0.1 are allowed https://github.com/findbugsproject/findbugs/issues/128 -->