I was trying to remove the log4j dependency from my project which is a huge repository. After having a close look in gradle files I found one of the module refers to the log4j dependency, which I excluded in gradle as shown in below code – exclude group: ‘log4j’, module: ‘log4j’
client {
exclude group: 'org.slf4j', module: 'slf4j-log4j12'
exclude group: 'log4j', module: 'log4j'
exclude group: 'org.mortbay.jetty'
}
After this, I ran a search for log4j jar, and it was not found in entire repository, this is search result in repository –
gunwant@devbox:bdp$ find ./ -regex ".*log4j.*.jar" ./resources/spark/client-lib/apache-log4j-extras-1.2.17.jar ./resources/cassandra/lib/log4j-over-slf4j-1.7.25.jar ./resources/graph-server/lib/apache-log4j-extras-1.2.17.jar ./resources/log4j-appender/lib/cassandra-log4j-appender-3.1.0.jar ./dse-db/lib/log4j-over-slf4j-1.7.25.jar
But the FOSSA security report on jenkins show log4j vulnerability
This is where I got stuck. I looked again in repository by doing “gradle allDeps” listed all the dependencies, which I found a recursive dependency in hadoop module –
| | +--- org.apache.hadoop:hadoop-auth:2.7.1.4 | | | +--- org.slf4j:slf4j-api:1.7.10 -> 1.7.25 | | | +--- commons-codec:commons-codec:1.4 -> 1.15 | | | +--- log4j:log4j:1.2.17 | | | +--- org.apache.httpcomponents:httpclient:4.4.1 -> 4.5.9 (*) | | | +--- org.apache.directory.server:apacheds-kerberos-codec:2.0.0-M15 -> 2.0.0-M24 | | | | +--- org.apache.directory.server:apacheds-i18n:2.0.0-M24 | | | | | --- org.slf4j:slf4j-api:1.7.25 | | | | +--- org.apache.directory.api:api-asn1-api:1.0.0 -> 1.0.3 (*) | | | | +--- org.apache.directory.api:api-asn1-ber:1.0.0 -> 1.0.3 (*) | | | | +--- org.apache.directory.api:api-i18n:1.0.0 -> 1.0.3 | | | | +--- org.apache.directory.api:api-ldap-model:1.0.0 -> 1.0.3 (*) | | | | +--- org.apache.directory.api:api-util:1.0.0 -> 1.0.3 (*) | | | | +--- net.sf.ehcache:ehcache:2.10.4 | | | | | --- org.slf4j:slf4j-api:1.7.7 -> 1.7.25 | | | | --- org.slf4j:slf4j-api:1.7.25 | | | +--- org.apache.zookeeper:zookeeper:3.4.6
and in zookeeper as well –
| | | +--- org.apache.zookeeper:zookeeper:3.4.6 | | | | +--- org.slf4j:slf4j-api:1.6.1 -> 1.7.25 | | | | +--- log4j:log4j:1.2.16 -> 1.2.17 | | | | +--- jline:jline:0.9.94 -> 2.14.6 | | | | --- io.netty:netty:3.7.0.Final
My first question is, how come FOSSA is reporting log4j as a vulnerability even though the log4j jar file is not present physically in the repo? I know that FOSSA scans for recursive dependency.
My Second question is, how can we exclude log4j from org.apache.hadoop and org.apache.zookeeper recursive dependency ?
I am sure some one must have solved this issue earlier.
Advertisement
Answer
I would use below but also make sure you add the correct slf4j library to replace the interface ie. log4j-over-slf4j
project.configurations {
all*.exclude group: 'commons-logging', module: 'commons-logging'
all*.exclude group: 'log4j', module: 'log4j'
all*.exclude group: 'org.slf4j', module: 'slf4j-log4j12'
}
project.dependencies {
implementation "org.slf4j:slf4j-api"
implementation 'org.slf4j:jcl-over-slf4j'
implementation 'org.slf4j:log4j-over-slf4j'
}