Issue
I am trying to fix log4j vulnerabilities and I have updated the existing log4j to the latest log4j-core version.
I tried adding exclusion in the googlecode.owasp dependency but the old version of log4j-1.2.12 is added in the war file. As of now, there is no change in the maven plugin.
Please let me know how to exclude log4j-1.2.12.
maven dependency:tree
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ Invoice ---
[INFO] Bookings:Invoice:war:0.0.1-SNAPSHOT
[INFO] +- Bookings:Miscellaneous:jar:0.0.1-SNAPSHOT:compile
[INFO] | +- org.owasp.esapi:esapi:jar:2.1.0:compile
[INFO] | | +- commons-configuration:commons-configuration:jar:1.5:compile
[INFO] | | | \- commons-digester:commons-digester:jar:1.8:compile
[INFO] | | +- commons-beanutils:commons-beanutils-core:jar:1.7.0:compile
[INFO] | | +- xom:xom:jar:1.2.5:compile
[INFO] | | | \- xalan:xalan:jar:2.7.0:compile
[INFO] | | \- org.beanshell:bsh-core:jar:2.0b4:compile
[INFO] | + xalan:serializer:jar:2.7.1:compile
[INFO] | | \- xml-apis:xml-apis:jar:1.3.04:compile
[INFO] | +- org.owasp.antisamy:antisamy:jar:1.4.4:compile
[INFO] | | +- xerces:xercesImpl:jar:2.8.1:compile
[INFO] | | +- org.apache.xmlgraphics:batik-css:jar:1.7:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-ext:jar:1.7:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-util:jar:1.7:compile
[INFO] | | | \- xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] | | +- net.sourceforge.nekohtml;nekohtml:jar:1.9.12:compile
[INFO] | | \- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] | +- com.mikesamuel:json-sanitizer:jar:1.2.0:compile
[INFO] | +- com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:jar:r156:compile
[INFO] | | +- com.google.guava:guava:jar:31.1-jre:compile (version selected from constraint [11.0,))
[INFO] | | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | | +- org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] | | | +- com.google.errorprone:error_prone_annotations:jar:2.11.0:compile
[INFO] | | | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] | | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (version selected from constraint [1.3.9,))
[INFO] | \- log4j:log4j:jar:1.2.12:compile
Solution
It looks like Bookings:Miscellaneous:jar depends on log4j.
Change the bookings:miscellaneous dependency to something like this:
<dependency>
<groupId>Bookings</groupId>
<artifactId>Miscellaneous</artifactId>
<version>0.0.1-SNAPSHOT</version>
<exclusions>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>
Then add a dependency to logback. Something like this:
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>{someversion-your-choise}</version>
</dependency>
Finally, add the adaptor from log4j to slf4j:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-to-slf4j</artifactId>
<version>{someversion-your-choise}</version>
</dependency>
Answered By - DwB
Answer Checked By - Willingham (JavaFixing Volunteer)