-
Notifications
You must be signed in to change notification settings - Fork 172
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(dependencies): remove unnecessary dependency on log4j-core (#1087)
* chore(dependencies): remove unnecessary dependency on log4j-core and make dependencies on log4j-api explicit. #1069 introduced the dependency on org.apache.logging.log4j.log4j-core in kork-artifacts, but it's not necessary. At least, after removing it, and verifying the dependency is gone from $ ./gradle kork-artifacts:dependencies the code still builds fine. As well $ git grep "import org.apache.logging.log4j" kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/user/UserSecretTypeProvider.java:import org.apache.logging.log4j.LogManager; kork-security/src/main/java/com/netflix/spinnaker/security/AuthenticatedRequestDecorator.java:import org.apache.logging.log4j.ThreadContext; turns up classes present in log4j-api, but nothing in log4j-core. As well uses of the @log4j2 annotation depend on log4j-api (see https://projectlombok.org/api/lombok/extern/log4j/Log4j2) $ git grep @log4j2 kork-artifacts/src/main/java/com/netflix/spinnaker/kork/artifacts/artifactstore/ArtifactStoreConfiguration.java:@log4j2 kork-artifacts/src/main/java/com/netflix/spinnaker/kork/artifacts/artifactstore/s3/S3ArtifactStore.java:@log4j2 kork-core/src/main/java/com/netflix/spinnaker/kork/jackson/JsonTypeNameParser.java:@log4j2 kork-credentials/src/main/java/com/netflix/spinnaker/credentials/jackson/SensitiveSerializer.java:@log4j2 kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/EncryptedSecret.java:@log4j2 This all makes the comment in spinnaker-dependencies.gradle true again: Per analysis, log4j-core is not included in dependencies * chore(dependencies): use version 2.17.1 of log4j-bom to address CVE-2021-45105 and CVE-2021-44832. * chore(dependencies): use version 2.20.0 of log4j-bom to stay up to date
- Loading branch information
Showing
6 changed files
with
6 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters