maven: migrate short-term to reload4j v1.2.18 (#5878)

* maven: migrate short-term to reload4j v1.2.18 This migrate to log4j 1.x fork, reload4j 1.2.18.0 which is drop-in replacement and addresses some immediate CVE and issues. * log4j migration to reload4j in pom xmls Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com> * Exclude log4j from transitive dependencies (#73) Co-authored-by: Marcus Sorensen <shadowsor@gmail.com> Co-authored-by: Marcus Sorensen <mls@apple.com>
2025-10-26 08:42:29 +01:00 · 2022-02-08 15:00:38 +05:30 · 2022-02-08 15:00:38 +05:30 · da56a2a806
commit da56a2a806
parent af58284560
12 changed files with 44 additions and 24 deletions
--- a/framework/managed-context/pom.xml
+++ b/framework/managed-context/pom.xml
@ -29,9 +29,9 @@
    </parent>
    <dependencies>
        <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
-            <version>${cs.log4j.version}</version>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
+            <version>${cs.reload4j.version}</version>
        </dependency>
    </dependencies>
 </project>
--- a/plugins/alert-handlers/snmp-alerts/pom.xml
+++ b/plugins/alert-handlers/snmp-alerts/pom.xml
@ -33,8 +33,8 @@
            <artifactId>org.apache.servicemix.bundles.snmp4j</artifactId>
        </dependency>
        <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
        </dependency>
    </dependencies>
 </project>
--- a/plugins/alert-handlers/syslog-alerts/pom.xml
+++ b/plugins/alert-handlers/syslog-alerts/pom.xml
@ -29,8 +29,8 @@
    </parent>
    <dependencies>
        <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
        </dependency>
    </dependencies>
 </project>
--- a/plugins/hypervisors/ovm3/pom.xml
+++ b/plugins/hypervisors/ovm3/pom.xml
@ -44,8 +44,8 @@
            <version>${cs.commons-lang3.version}</version>
        </dependency>
        <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
        </dependency>
    </dependencies>
    <build>
--- a/plugins/integrations/kubernetes-service/pom.xml
+++ b/plugins/integrations/kubernetes-service/pom.xml
@ -86,9 +86,9 @@
            <version>${cs.guava.version}</version>
        </dependency>
        <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
-            <version>${cs.log4j.version}</version>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
+            <version>${cs.reload4j.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
--- a/plugins/network-elements/juniper-contrail/pom.xml
+++ b/plugins/network-elements/juniper-contrail/pom.xml
@ -112,6 +112,12 @@
            <groupId>net.juniper.contrail</groupId>
            <artifactId>juniper-contrail-api</artifactId>
            <version>1.0-SNAPSHOT</version>
+            <exclusions>
+                <exclusion>
+                    <artifactId>log4j</artifactId>
+                    <groupId>log4j</groupId>
+                </exclusion>
+            </exclusions>
        </dependency>
        <dependency>
            <groupId>mysql</groupId>
--- a/plugins/user-authenticators/ldap/pom.xml
+++ b/plugins/user-authenticators/ldap/pom.xml
@ -175,6 +175,10 @@
            <version>${ads.version}</version>
            <scope>test</scope>
            <exclusions>
+                <exclusion>
+                    <artifactId>log4j</artifactId>
+                    <groupId>log4j</groupId>
+                </exclusion>
                <!--
                 shared-ldap-schema module needs to be excluded to avoid multiple schema resources on the classpath
                -->
--- a/pom.xml
+++ b/pom.xml
@ -76,7 +76,7 @@
        <cs.clover-maven-plugin.version>4.4.1</cs.clover-maven-plugin.version>

        <!-- Logging versions -->
-        <cs.log4j.version>1.2.17</cs.log4j.version>
+        <cs.reload4j.version>1.2.18.4</cs.reload4j.version>
        <cs.log4j.extras.version>1.2.17</cs.log4j.extras.version>
        <cs.logging.version>1.1.1</cs.logging.version>

@ -439,9 +439,9 @@
                </exclusions>
            </dependency>
            <dependency>
-                <groupId>log4j</groupId>
-                <artifactId>log4j</artifactId>
-                <version>${cs.log4j.version}</version>
+                <groupId>ch.qos.reload4j</groupId>
+                <artifactId>reload4j</artifactId>
+                <version>${cs.reload4j.version}</version>
            </dependency>
            <dependency>
                <groupId>mysql</groupId>
@ -618,6 +618,12 @@
                <groupId>org.owasp.esapi</groupId>
                <artifactId>esapi</artifactId>
                <version>2.1.0.1</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>log4j</groupId>
+                        <artifactId>log4j</artifactId>
+                    </exclusion>
+                </exclusions>
            </dependency>
            <!-- Test dependency in mysql for db tests -->
            <dependency>
--- a/services/console-proxy/server/pom.xml
+++ b/services/console-proxy/server/pom.xml
@ -29,8 +29,8 @@
    </parent>
    <dependencies>
        <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
        </dependency>
        <dependency>
            <groupId>com.google.code.gson</groupId>
--- a/services/secondary-storage/server/pom.xml
+++ b/services/secondary-storage/server/pom.xml
@ -29,8 +29,8 @@
    </parent>
    <dependencies>
        <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
        </dependency>
        <dependency>
            <groupId>com.google.code.gson</groupId>
--- a/test/pom.xml
+++ b/test/pom.xml
@ -33,8 +33,8 @@
            <version>${project.version}</version>
        </dependency>
        <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
        </dependency>
        <dependency>
            <groupId>org.jenkins-ci</groupId>
--- a/utils/pom.xml
+++ b/utils/pom.xml
@ -47,8 +47,8 @@
            <artifactId>aspectjweaver</artifactId>
        </dependency>
        <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
        </dependency>
        <dependency>
            <groupId>cglib</groupId>
@ -143,6 +143,10 @@
            <groupId>org.owasp.esapi</groupId>
            <artifactId>esapi</artifactId>
            <exclusions>
+                <exclusion>
+                    <groupId>log4j</groupId>
+                    <artifactId>log4j</artifactId>
+                </exclusion>
                <exclusion>
                    <groupId>xml-apis</groupId>
                    <artifactId>xml-apis</artifactId>