Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(dependencies): remove unnecessary dependency on log4j-core #1087

Merged
merged 3 commits into from
Aug 10, 2023
Merged

chore(dependencies): remove unnecessary dependency on log4j-core #1087

merged 3 commits into from
Aug 10, 2023

Commits on Aug 10, 2023

  1. chore(dependencies): remove unnecessary dependency on log4j-core 

    and make dependencies on log4j-api explicit.

spinnaker#1069 introduced the dependency on org.apache.logging.log4j.log4j-core in kork-artifacts, but it's not necessary.  At least, after removing it, and verifying the dependency is gone from

$ ./gradle kork-artifacts:dependencies

the code still builds fine.  As well

$ git grep "import org.apache.logging.log4j"
kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/user/UserSecretTypeProvider.java:import org.apache.logging.log4j.LogManager;
kork-security/src/main/java/com/netflix/spinnaker/security/AuthenticatedRequestDecorator.java:import org.apache.logging.log4j.ThreadContext;

turns up classes present in log4j-api, but nothing in log4j-core.

As well uses of the @log4j2 annotation depend on log4j-api (see https://projectlombok.org/api/lombok/extern/log4j/Log4j2)

$ git grep @log4j2
kork-artifacts/src/main/java/com/netflix/spinnaker/kork/artifacts/artifactstore/ArtifactStoreConfiguration.java:@log4j2
kork-artifacts/src/main/java/com/netflix/spinnaker/kork/artifacts/artifactstore/s3/S3ArtifactStore.java:@log4j2
kork-core/src/main/java/com/netflix/spinnaker/kork/jackson/JsonTypeNameParser.java:@log4j2
kork-credentials/src/main/java/com/netflix/spinnaker/credentials/jackson/SensitiveSerializer.java:@log4j2
kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/EncryptedSecret.java:@log4j2

This all makes the comment in spinnaker-dependencies.gradle true again:

Per analysis, log4j-core is not included in dependencies
    @dbyron-sf
    dbyron-sf committed Aug 10, 2023
    Configuration menu
    Copy the full SHA
    7e9d9b4 View commit details
    Browse the repository at this point in the history

  2. chore(dependencies): use version 2.17.1 of log4j-bom 

    to address CVE-2021-45105 and CVE-2021-44832.
    @dbyron-sf
    dbyron-sf committed Aug 10, 2023
    Configuration menu
    Copy the full SHA
    cb79623 View commit details
    Browse the repository at this point in the history

  3. chore(dependencies): use version 2.20.0 of log4j-bom 

    to stay up to date
    @dbyron-sf
    dbyron-sf committed Aug 10, 2023
    Configuration menu
    Copy the full SHA
    2140eeb View commit details
    Browse the repository at this point in the history