From e3e277a2649e21aefce00b2e9fce0b9266681d10 Mon Sep 17 00:00:00 2001 From: Weimin Yu Date: Mon, 13 Dec 2021 14:18:31 -0500 Subject: [PATCH] Completely remove log4j (#1466) * Completely remove log4j Prevent Gradle plugin from using log4j. --- build.gradle | 3 +++ gradle/dependency-locks/buildscript-classpath.lockfile | 2 -- java_common.gradle | 2 ++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index a9becda6c..421eb2bdc 100644 --- a/build.gradle +++ b/build.gradle @@ -20,6 +20,9 @@ buildscript { // Lock buildscript dependencies. configurations.classpath { resolutionStrategy.activateDependencyLocking() + + // See java_common.gradle for explanation. + exclude group: 'org.apache.logging.log4j' } } diff --git a/gradle/dependency-locks/buildscript-classpath.lockfile b/gradle/dependency-locks/buildscript-classpath.lockfile index f4301149d..273001cd9 100644 --- a/gradle/dependency-locks/buildscript-classpath.lockfile +++ b/gradle/dependency-locks/buildscript-classpath.lockfile @@ -40,8 +40,6 @@ org.apache.ant:ant-launcher:1.9.7 org.apache.ant:ant:1.9.7 org.apache.commons:commons-compress:1.20 org.apache.commons:commons-lang3:3.8.1 -org.apache.logging.log4j:log4j-api:2.11.0 -org.apache.logging.log4j:log4j-core:2.11.0 org.apache.maven:maven-artifact:3.6.2 org.apache.maven:maven-builder-support:3.6.2 org.apache.maven:maven-model-builder:3.6.2 diff --git a/java_common.gradle b/java_common.gradle index ed7e4aa1e..5a3de130b 100644 --- a/java_common.gradle +++ b/java_common.gradle @@ -64,6 +64,8 @@ configurations { it.exclude group: 'org.mockito', module: 'mockito-core' } all.each { + // log4j has high-profile security vulnerabilities. It's a transitive dependency used by some + // Apache Beam packages. Excluding it does not impact our troubleshooting needs. it.exclude group: 'org.apache.logging.log4j' } }