deps(fix): update to 2.16.0 log4j version and ban all 2.x versions wh…

…ich are <= 2.15.0 (#3380) Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly: - [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/java-bigtable-hbase/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [ ] Ensure the tests and linter pass - [ ] Code coverage does not decrease (if any source code was changed) - [ ] Appropriate docs were updated (if necessary) Fixes #<issue_number_goes_here> ☕️
googleapis · Dec 14, 2021 · 3e3fb6c · 3e3fb6c
1 parent be82a2f
commit 3e3fb6c
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 1 deletion.
diff --git a/bigtable-dataflow-parent/bigtable-beam-import/pom.xml b/bigtable-dataflow-parent/bigtable-beam-import/pom.xml
@@ -169,6 +169,12 @@ limitations under the License.
       <artifactId>slf4j-api</artifactId>
       <version>${slf4j.version}</version>
     </dependency>
+
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-api</artifactId>
+      <version>${log4j2.version}</version>
+    </dependency>
     <!-- https://mvnrepository.com/artifact/com.google.cloud.bigdataoss/gcs-connector -->
     <dependency>
       <groupId>com.google.cloud.bigdataoss</groupId>
@@ -380,6 +386,10 @@ limitations under the License.
             <usedDependency>org.apache.beam:beam-runners-direct-java
             </usedDependency>
           </usedDependencies>
+          <ignoredUnusedDeclaredDependencies>
+            <!-- log4j-api dependency is added to enforce log4j versions with CVE fixes -->
+            <ignoredUnusedDeclaredDependency>org.apache.logging.log4j:log4j-api</ignoredUnusedDeclaredDependency>
+          </ignoredUnusedDeclaredDependencies>
         </configuration>
       </plugin>
 

diff --git a/bigtable-dataflow-parent/bigtable-hbase-beam/pom.xml b/bigtable-dataflow-parent/bigtable-hbase-beam/pom.xml
@@ -95,6 +95,12 @@ limitations under the License.
       <version>1.21</version>
     </dependency>
 
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-api</artifactId>
+      <version>${log4j2.version}</version>
+    </dependency>
+
     <dependency>
       <groupId>org.mockito</groupId>
       <artifactId>mockito-core</artifactId>
@@ -251,6 +257,10 @@ limitations under the License.
               org.apache.beam:beam-sdks-java-io-hbase
             </usedDependency>
           </usedDependencies>
+          <ignoredUnusedDeclaredDependencies>
+            <!-- log4j-api dependency is added to enforce log4j versions with CVE fixes -->
+            <ignoredUnusedDeclaredDependency>org.apache.logging.log4j:log4j-api</ignoredUnusedDeclaredDependency>
+          </ignoredUnusedDeclaredDependencies>
         </configuration>
       </plugin>
     </plugins>

diff --git a/bigtable-hbase-1.x-parent/bigtable-hbase-1.x-tools/pom.xml b/bigtable-hbase-1.x-parent/bigtable-hbase-1.x-tools/pom.xml
@@ -11,7 +11,6 @@
 
   <properties>
     <mainclass>com.google.cloud.bigtable.hbase.tools.HBaseSchemaTranslator</mainclass>
-    <log4j2.version>2.15.0</log4j2.version>
   </properties>
   <artifactId>bigtable-hbase-1.x-tools</artifactId>
 

diff --git a/pom.xml b/pom.xml
@@ -63,6 +63,7 @@ limitations under the License.
     <slf4j.version>1.7.25</slf4j.version>
     <commons-logging.version>1.2</commons-logging.version>
     <jsr305.version>3.0.2</jsr305.version>
+    <log4j2.version>2.16.0</log4j2.version>
 
     <!-- hbase dependency versions -->
     <hbase.version.1>1.4.12</hbase.version.1>
@@ -266,6 +267,28 @@ limitations under the License.
           <ignoreNonCompile>true</ignoreNonCompile>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-enforcer-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>enforce-banned-deps</id>
+            <goals>
+              <goal>enforce</goal>
+            </goals>
+            <configuration>
+              <rules>
+                <!-- ban all log4j 2.x deps with CVEs -->
+                <bannedDependencies>
+                  <excludes>
+                    <exclude>org.apache.logging.log4j:*:[2.0-alpha1,2.15.0]</exclude>
+                  </excludes>
+                </bannedDependencies>
+              </rules>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
 </project>