as it is known, log4j vulnerability has emerged. How can we close this gap in our own projects? Do we have a chance to push a version on gradle?
CodePudding user response:
My own solution to help
constraints{
implementation("org.apache.logging.log4j:log4j-core"){
version{
strictly("[2.15,3[")
prefer("2.15.0")
}
because("CVE-2021-44228 : Log4j is vulnerable to remote code execution")
}
}
CodePudding user response:
This is the solution we used in our spring-boot project where we manage dependencies using the enforcedPlatform
method:
dependencies {
api(enforcedPlatform("org.springframework.boot:spring-boot-dependencies:${springBootVersion}")) {
exclude(group: "org.apache.logging.log4j")
}
api(platform("org.apache.logging.log4j:log4j-bom:2.15.0")) {
because "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
}
}
This is designed to be in-place until such time as we're in a position to upgrade to a version of Spring Boot that pulls in the fixed version itself.