Home > database >  log4j exclusion from the pom.xml file
log4j exclusion from the pom.xml file

Time:05-10

I am trying to fix log4j vulnerabilities and I have updated the existing log4j to the latest log4j-core version.

I tried adding exclusion in the googlecode.owasp dependency but the old version of log4j-1.2.12 is added in the war file. As of now, there is no change in the maven plugin.

Please let me know how to exclude log4j-1.2.12.

maven dependency:tree

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ Invoice ---
[INFO] Bookings:Invoice:war:0.0.1-SNAPSHOT
[INFO]  - Bookings:Miscellaneous:jar:0.0.1-SNAPSHOT:compile 
[INFO] |   - org.owasp.esapi:esapi:jar:2.1.0:compile  
[INFO] |  |   - commons-configuration:commons-configuration:jar:1.5:compile 
[INFO] |  |  |  \- commons-digester:commons-digester:jar:1.8:compile
[INFO] |  |   - commons-beanutils:commons-beanutils-core:jar:1.7.0:compile
[INFO] |  |   - xom:xom:jar:1.2.5:compile
[INFO] |  |  |  \- xalan:xalan:jar:2.7.0:compile
[INFO] |  |  \- org.beanshell:bsh-core:jar:2.0b4:compile
[INFO] |     xalan:serializer:jar:2.7.1:compile 
[INFO] |  |  \- xml-apis:xml-apis:jar:1.3.04:compile
[INFO] |   - org.owasp.antisamy:antisamy:jar:1.4.4:compile
[INFO] |  |   - xerces:xercesImpl:jar:2.8.1:compile
[INFO] |  |   - org.apache.xmlgraphics:batik-css:jar:1.7:compile
[INFO] |  |  |   - org.apache.xmlgraphics:batik-ext:jar:1.7:compile
[INFO] |  |  |   - org.apache.xmlgraphics:batik-util:jar:1.7:compile 
[INFO] |  |  |  \- xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] |  |   - net.sourceforge.nekohtml;nekohtml:jar:1.9.12:compile 
[INFO] |  |  \- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] |   - com.mikesamuel:json-sanitizer:jar:1.2.0:compile
[INFO] |   - com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:jar:r156:compile
[INFO] |  |   - com.google.guava:guava:jar:31.1-jre:compile (version selected from constraint [11.0,)) 
[INFO] |  |  |   - com.google.guava:failureaccess:jar:1.0.1:compile 
[INFO] |  |  |   - com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  |  |   - org.checkerframework:checker-qual:jar:3.12.0:compile 
[INFO] |  |  |   - com.google.errorprone:error_prone_annotations:jar:2.11.0:compile
[INFO] |  |  |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] |  |  \-  com.google.code.findbugs:jsr305:jar:3.0.2:compile (version selected from constraint [1.3.9,))
[INFO] |  \- log4j:log4j:jar:1.2.12:compile

CodePudding user response:

It looks like Bookings:Miscellaneous:jar depends on log4j.

Change the bookings:miscellaneous dependency to something like this:

    <dependency>
        <groupId>Bookings</groupId>
        <artifactId>Miscellaneous</artifactId>
        <version>0.0.1-SNAPSHOT</version>
        <exclusions>
            <exclusion>
                <groupId>log4j</groupId>
                <artifactId>log4j</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

Then add a dependency to logback. Something like this:

<dependency>
    <groupId>ch.qos.logback</groupId>
    <artifactId>logback-classic</artifactId>
    <version>{someversion-your-choise}</version>
</dependency>

Finally, add the adaptor from log4j to slf4j:

      <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-to-slf4j</artifactId>
        <version>{someversion-your-choise}</version>
      </dependency>
  • Related