Home > OS >  How to fix Log4J Vulnerability in Gradle Project
How to fix Log4J Vulnerability in Gradle Project

Time:12-22

I can see org.apache.logging.log4j:log4j-core:2.14.0 Library in Gradle dependency tree for my project.

We have not added log4j version from outside. This version is coming as part of transitive dependencies from other jars or spring-boot-starter.

How to override the log4j version in Gradle?

CodePudding user response:

First, find out which log4j-related libraries you are really using, e.g. by

 .\gradlew dependencies --configuration=testRuntimeClasspath | find "log4j"

The override them with a current version like so (docs), placed after the dependencies block:

configurations.all {
    resolutionStrategy {
        force 'org.apache.logging.log4j:log4j-api:2.16.0'
        force 'org.apache.logging.log4j:log4j-core:2.16.0'
        force 'org.apache.logging.log4j:log4j-slf4j-impl:2.16.0'
        force 'org.apache.logging.log4j:log4j-jul:2.16.0'
    }
}

You might need to add more/fewer libraries to that block depending on the results of the check in the beginning.

Since you are using Spring Boot, you can also use a Spring-Boot-specific feature to set the Log4J version:

ext['log4j2.version'] = '2.16.0'

CodePudding user response:

I'm on MacOS and using subprojects:

First I run: ./gradlew projects which will list my subprojects:

The output:

:projects

------------------------------------------------------------
Root project
------------------------------------------------------------

Root project 'test-backend'
 --- Project ':test-suite'
 --- Project ':test-suite-services'
\--- Project ':test-utils'

Using the output we can one by one check for dependencies:

./gradlew test-suite:dependencies | grep "log4j"
./gradlew test-suite-services:dependencies | grep "log4j"
./gradlew test-utils:dependencies | grep "log4j"
  • Related