You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by GitBox <gi...@apache.org> on 2022/01/13 17:22:51 UTC

[GitHub] [zeppelin] woowahan-jaehoon opened a new pull request #4286: [ZEPPELIN-5613] zeppelin-interpreter-parent: Add dependencyManagement for log4j2 in pom.xml

woowahan-jaehoon opened a new pull request #4286:
URL: https://github.com/apache/zeppelin/pull/4286


   ### What is this PR for?
   I found that geode-interpreter using log4j2 so I added dependencyManagement for log4j2.
   
   I think that this PR prevent potential log4jShell through future interpreter.
   
   
   ### What type of PR is it?
   [Bug Fix]
   
   ### Todos
   * Nothing
   
   ### What is the Jira issue?
   * https://issues.apache.org/jira/browse/ZEPPELIN-5613
   
   ### How should this be tested?
   * ```
   mvn dependency:tree
   ```
   
   ### Screenshots (if appropriate)
   
   ### Questions:
   * Does the licenses files need update?
   ** No
   * Is there breaking changes for older versions?
   ** No
   * Does this needs documentation?
   ** No
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] zjffdu commented on a change in pull request #4286: [ZEPPELIN-5613] zeppelin-interpreter-parent: Add dependencyManagement for log4j2 in pom.xml

Posted by GitBox <gi...@apache.org>.

zjffdu commented on a change in pull request #4286:
URL: https://github.com/apache/zeppelin/pull/4286#discussion_r793225527



##########
File path: zeppelin-interpreter-parent/pom.xml
##########
@@ -33,6 +33,35 @@
   <version>0.9.0-SNAPSHOT</version>
   <name>Zeppelin: Interpreter Parent</name>
 
+  <properties>
+    <log4j2.version>2.17.1</log4j2.version>
+  </properties>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-1.2-api</artifactId>

Review comment:
       This is for log4j 1 ?

##########
File path: zeppelin-interpreter-parent/pom.xml
##########
@@ -33,6 +33,35 @@
   <version>0.9.0-SNAPSHOT</version>
   <name>Zeppelin: Interpreter Parent</name>
 
+  <properties>
+    <log4j2.version>2.17.1</log4j2.version>
+  </properties>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-1.2-api</artifactId>

Review comment:
       This is for log4j 1?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] Reamer commented on a change in pull request #4286: [ZEPPELIN-5613] zeppelin-interpreter-parent: Add dependencyManagement for log4j2 in pom.xml

Posted by GitBox <gi...@apache.org>.

Reamer commented on a change in pull request #4286:
URL: https://github.com/apache/zeppelin/pull/4286#discussion_r793355157



##########
File path: zeppelin-interpreter-parent/pom.xml
##########
@@ -33,6 +33,35 @@
   <version>0.9.0-SNAPSHOT</version>
   <name>Zeppelin: Interpreter Parent</name>
 
+  <properties>
+    <log4j2.version>2.17.1</log4j2.version>
+  </properties>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-1.2-api</artifactId>

Review comment:
       I think the library does almost the same as `slf4j-log4j12`. Redirect all output made against the old log4j 1.2 API to log4j2. https://logging.apache.org/log4j/2.x/log4j-1.2-api/index.html
   
   I think we should drop this managed dependency in favor of `slf4j-log4j12` and exclude `log4j-1.2-api` in other dependencies.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] woowahan-jaehoon commented on a change in pull request #4286: [ZEPPELIN-5613] zeppelin-interpreter-parent: Add dependencyManagement for log4j2 in pom.xml

Posted by GitBox <gi...@apache.org>.

woowahan-jaehoon commented on a change in pull request #4286:
URL: https://github.com/apache/zeppelin/pull/4286#discussion_r816525438



##########
File path: zeppelin-interpreter-parent/pom.xml
##########
@@ -33,6 +33,35 @@
   <version>0.9.0-SNAPSHOT</version>
   <name>Zeppelin: Interpreter Parent</name>
 
+  <properties>
+    <log4j2.version>2.17.1</log4j2.version>
+  </properties>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-1.2-api</artifactId>

Review comment:
       Zeppelin can be drop log4j 1.x but I think that dependencies cannot drop log4j 1.x. 
   
   I found log4j2 dependencies in other dependencies for interpreter, not zeppelin own code.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] Reamer commented on a change in pull request #4286: [ZEPPELIN-5613] zeppelin-interpreter-parent: Add dependencyManagement for log4j2 in pom.xml

Posted by GitBox <gi...@apache.org>.

Reamer commented on a change in pull request #4286:
URL: https://github.com/apache/zeppelin/pull/4286#discussion_r816580090



##########
File path: zeppelin-interpreter-parent/pom.xml
##########
@@ -33,6 +33,35 @@
   <version>0.9.0-SNAPSHOT</version>
   <name>Zeppelin: Interpreter Parent</name>
 
+  <properties>
+    <log4j2.version>2.17.1</log4j2.version>
+  </properties>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-1.2-api</artifactId>

Review comment:
       I also searched for log4j1 library usages in Zeppelin and only found the following class which still uses log4j1 methods. Additionally, here even the implementation is used and not only the API.
   https://github.com/apache/zeppelin/blob/master/zeppelin-zengine/src/main/java/org/apache/zeppelin/helium/HeliumBundleFactory.java




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org