Skip to content

Update log4j to 2.17.1 #644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Bentleysb merged 3 commits into from
Jan 4, 2022
Merged

Update log4j to 2.17.1 #644

Bentleysb merged 3 commits into from
Jan 4, 2022

Conversation

@tsmock
Copy link
Collaborator

@tsmock tsmock commented Dec 16, 2021
edited
Loading

Also, move classes using log4j to slf4j.

This should have no effect on runtime logging.

See also

@tsmock
Update log4j to 2.16
cc0be17 
Also, move classes using log4j to slf4j.

Signed-off-by: Taylor Smock <[email protected]>
@tsmock
gradle dependencies: exclude log4j from osgeo due to missing jar
a7128ab 
Signed-off-by: Taylor Smock <[email protected]>
@tsmock
Copy link
Collaborator Author

tsmock commented Dec 16, 2021

Note: We can use dependency substitution to use the osgeo -norce version instead of excluding osgeo.

This was referenced Dec 16, 2021
Merged
Merged
Bentleysb
Bentleysb reviewed Dec 17, 2021
View reviewed changes
Copy link
Collaborator

@Bentleysb Bentleysb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great. Thanks for working to update this. Have you done any test runs with these changes, local or remote?

@atiannicelli
Copy link
Collaborator

atiannicelli commented Dec 20, 2021
edited
Loading

log4j 2.16.0 creates another vulnerability (CVE-2021-45105). So we need to upgrade to 2.17.0.

Edit - now we need it updated to 2.17.1

@tsmock
Update Log4J to 2.17.1
2db0401 
Also update Jacoco, Junit, and SQLite, all of which should have no
source compatibility issues.

Signed-off-by: Taylor Smock <[email protected]>
@tsmock tsmock changed the title Update log4j to 2.16 Update log4j to 2.17.1 Jan 4, 2022
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 4, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

66.7% 66.7% Coverage
0.0% 0.0% Duplication

@tsmock
Copy link
Collaborator Author

tsmock commented Jan 4, 2022

This looks great. Thanks for working to update this. Have you done any test runs with these changes, local or remote?

I have done a local run with some additional dependency updates (./gradlew clean build run).

@atiannicelli
Copy link
Collaborator

atiannicelli commented Jan 4, 2022

I took tsmock's branch and executed on AWS EMR and it looked like it was working correctly.

@Bentleysb Bentleysb requested a review from rheatreena January 4, 2022 19:35
@Bentleysb Bentleysb merged commit 471ba73 into osmlab:dev Jan 4, 2022
@tsmock tsmock deleted the cve-2021-44228 branch January 4, 2022 19:43
@tsmock tsmock restored the cve-2021-44228 branch January 4, 2022 19:43
@tsmock tsmock deleted the cve-2021-44228 branch January 5, 2022 20:38
@tsmock tsmock restored the cve-2021-44228 branch January 12, 2022 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Bentleysb Bentleysb Bentleysb approved these changes

+1 more reviewer

@rheatreena rheatreena rheatreena approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tsmock @atiannicelli @Bentleysb @rheatreena