Update version to use log4j2 version 2.17 up?

18 views
Skip to first unread message

Carfield Yim

unread,
Jan 30, 2023, 3:51:30 AM1/30/23
to Clojure Maven Plugin
Hi all

clojure-maven-plugin is still using log4j version 1, which suffer from few vulnerabilities, https://logging.apache.org/log4j/1.2/, not sure if someone can help on migrate that to log4j2 version 2.17 up?

Thanks a lot!

Mark Derricutt

unread,
Jan 30, 2023, 3:55:13 AM1/30/23
to Clojure Maven Plugin
Cheers for the prod - I'll look at updating it this week ( just looking at the deps now but probably won't get to a release til tomorrow ).

Mark

Mark Derricutt

unread,
Jan 30, 2023, 3:59:37 AM1/30/23
to Clojure Maven Plugin
Interesting - mvn's dependency-tree plugin doesn't actually show any log4j usage - where did you see this?:

[INFO] Scanning for projects...
[INFO]
[INFO] -------------< com.theoryinpractise:clojure-maven-plugin >--------------
[INFO] Building clojure-maven-plugin Maven Mojo 1.8.5-SNAPSHOT
[INFO] ----------------------------[ maven-plugin ]----------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ clojure-maven-plugin ---
[INFO] com.theoryinpractise:clojure-maven-plugin:maven-plugin:1.8.5-SNAPSHOT
[INFO] +- org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.6.0:compile
[INFO] |  \- org.apache.maven:maven-artifact:jar:3.0:compile
[INFO] |     \- (org.codehaus.plexus:plexus-utils:jar:2.0.4:compile - omitted for conflict with 3.2.0)
[INFO] +- org.codehaus.plexus:plexus-utils:jar:3.2.0:compile
[INFO] +- org.apache.maven:maven-plugin-api:jar:3.6.1:compile
[INFO] |  +- org.apache.maven:maven-model:jar:3.6.1:compile
[INFO] |  |  \- (org.codehaus.plexus:plexus-utils:jar:3.2.0:compile - omitted for duplicate)
[INFO] |  +- (org.apache.maven:maven-artifact:jar:3.6.1:compile - omitted for conflict with 3.0)
[INFO] |  +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.3:compile
[INFO] |  |  +- javax.enterprise:cdi-api:jar:1.0:compile
[INFO] |  |  |  +- javax.annotation:jsr250-api:jar:1.0:compile
[INFO] |  |  |  \- (javax.inject:javax.inject:jar:1:compile - omitted for duplicate)
[INFO] |  |  +- (org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.3:compile - omitted for duplicate)
[INFO] |  |  +- (org.codehaus.plexus:plexus-component-annotations:jar:1.5.5:compile - omitted for conflict with 1.7.1)
[INFO] |  |  +- (org.codehaus.plexus:plexus-classworlds:jar:2.5.2:compile - omitted for conflict with 2.6.0)
[INFO] |  |  \- (org.codehaus.plexus:plexus-utils:jar:3.0.17:compile - omitted for conflict with 3.2.0)
[INFO] |  +- (org.codehaus.plexus:plexus-utils:jar:3.2.0:compile - omitted for duplicate)
[INFO] |  \- org.codehaus.plexus:plexus-classworlds:jar:2.6.0:compile
[INFO] +- com.google.guava:guava:jar:27.1-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:2.5.2:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.2.0:compile
[INFO] |  +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.17:compile
[INFO] +- junit:junit:jar:4.12:test (scope not updated to compile)
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.easytesting:fest-assert-core:jar:2.0M10:test
[INFO] |  \- org.easytesting:fest-util:jar:1.2.5:test
[INFO] +- org.mockito:mockito-all:jar:2.0.2-beta:test
[INFO] +- org.apache.commons:commons-exec:jar:1.3:compile
[INFO] +- commons-io:commons-io:jar:2.6:compile
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] +- org.apache.maven:maven-toolchain:jar:3.0-alpha-2:compile
[INFO] |  +- (org.apache.maven:maven-core:jar:3.0-alpha-2:compile - omitted for conflict with 3.6.1)
[INFO] |  \- org.apache.maven:maven-compat:jar:3.0-alpha-2:compile
[INFO] |     +- (org.apache.maven:maven-model:jar:3.0-alpha-2:compile - omitted for conflict with 3.6.1)
[INFO] |     +- (org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile - omitted for duplicate)
[INFO] |     +- (org.codehaus.plexus:plexus-component-annotations:jar:1.0-beta-3.0.5:compile - omitted for conflict with 1.5.5)
[INFO] |     \- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-4:compile
[INFO] |        \- (org.codehaus.plexus:plexus-utils:jar:1.4.2:compile - omitted for conflict with 3.2.0)
[INFO] +- org.apache.maven:maven-core:jar:3.6.1:compile
[INFO] |  +- (org.apache.maven:maven-model:jar:3.6.1:compile - omitted for duplicate)
[INFO] |  +- org.apache.maven:maven-settings:jar:3.6.1:compile
[INFO] |  |  \- (org.codehaus.plexus:plexus-utils:jar:3.2.0:compile - omitted for duplicate)
[INFO] |  +- org.apache.maven:maven-settings-builder:jar:3.6.1:compile
[INFO] |  |  +- (org.apache.maven:maven-builder-support:jar:3.6.1:compile - omitted for duplicate)
[INFO] |  |  +- (org.codehaus.plexus:plexus-utils:jar:3.2.0:compile - omitted for duplicate)
[INFO] |  |  +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile
[INFO] |  |  +- (org.codehaus.plexus:plexus-component-annotations:jar:1.7.1:compile - omitted for conflict with 1.5.5)
[INFO] |  |  +- (org.apache.maven:maven-settings:jar:3.6.1:compile - omitted for duplicate)
[INFO] |  |  \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile
[INFO] |  |     +- (org.codehaus.plexus:plexus-utils:jar:1.5.5:compile - omitted for conflict with 3.2.0)
[INFO] |  |     \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile
[INFO] |  +- org.apache.maven:maven-builder-support:jar:3.6.1:compile
[INFO] |  +- org.apache.maven:maven-repository-metadata:jar:3.6.1:compile
[INFO] |  |  \- (org.codehaus.plexus:plexus-utils:jar:3.2.0:compile - omitted for duplicate)
[INFO] |  +- (org.apache.maven:maven-artifact:jar:3.6.1:compile - omitted for conflict with 3.0)
[INFO] |  +- (org.apache.maven:maven-plugin-api:jar:3.6.1:compile - omitted for duplicate)
[INFO] |  +- org.apache.maven:maven-model-builder:jar:3.6.1:compile
[INFO] |  |  +- (org.codehaus.plexus:plexus-utils:jar:3.2.0:compile - omitted for duplicate)
[INFO] |  |  +- (org.codehaus.plexus:plexus-interpolation:jar:1.25:compile - omitted for duplicate)
[INFO] |  |  +- (org.codehaus.plexus:plexus-component-annotations:jar:1.7.1:compile - omitted for conflict with 1.5.5)
[INFO] |  |  +- (org.apache.maven:maven-model:jar:3.6.1:compile - omitted for duplicate)
[INFO] |  |  +- (org.apache.maven:maven-artifact:jar:3.6.1:compile - omitted for conflict with 3.0)
[INFO] |  |  \- (org.apache.maven:maven-builder-support:jar:3.6.1:compile - omitted for duplicate)
[INFO] |  +- org.apache.maven:maven-resolver-provider:jar:3.6.1:compile
[INFO] |  |  +- (org.apache.maven:maven-model:jar:3.6.1:compile - omitted for duplicate)
[INFO] |  |  +- (org.apache.maven:maven-model-builder:jar:3.6.1:compile - omitted for duplicate)
[INFO] |  |  +- (org.apache.maven:maven-repository-metadata:jar:3.6.1:compile - omitted for duplicate)
[INFO] |  |  +- (org.apache.maven.resolver:maven-resolver-api:jar:1.3.3:compile - omitted for duplicate)
[INFO] |  |  +- (org.apache.maven.resolver:maven-resolver-spi:jar:1.3.3:compile - omitted for duplicate)
[INFO] |  |  +- (org.apache.maven.resolver:maven-resolver-util:jar:1.3.3:compile - omitted for duplicate)
[INFO] |  |  +- (org.apache.maven.resolver:maven-resolver-impl:jar:1.3.3:compile - omitted for duplicate)
[INFO] |  |  +- (org.codehaus.plexus:plexus-utils:jar:3.2.0:compile - omitted for duplicate)
[INFO] |  |  +- (javax.inject:javax.inject:jar:1:compile - omitted for duplicate)
[INFO] |  |  \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] |  +- org.apache.maven.resolver:maven-resolver-impl:jar:1.3.3:compile
[INFO] |  |  +- (org.apache.maven.resolver:maven-resolver-api:jar:1.3.3:compile - omitted for duplicate)
[INFO] |  |  +- (org.apache.maven.resolver:maven-resolver-spi:jar:1.3.3:compile - omitted for duplicate)
[INFO] |  |  +- (org.apache.maven.resolver:maven-resolver-util:jar:1.3.3:compile - omitted for duplicate)
[INFO] |  |  \- (org.slf4j:slf4j-api:jar:1.7.25:compile - omitted for duplicate)
[INFO] |  +- org.apache.maven.resolver:maven-resolver-api:jar:1.3.3:compile
[INFO] |  +- org.apache.maven.resolver:maven-resolver-spi:jar:1.3.3:compile
[INFO] |  |  \- (org.apache.maven.resolver:maven-resolver-api:jar:1.3.3:compile - omitted for duplicate)
[INFO] |  +- org.apache.maven.resolver:maven-resolver-util:jar:1.3.3:compile
[INFO] |  |  \- (org.apache.maven.resolver:maven-resolver-api:jar:1.3.3:compile - omitted for duplicate)
[INFO] |  +- org.apache.maven.shared:maven-shared-utils:jar:3.2.1:compile
[INFO] |  |  \- (commons-io:commons-io:jar:2.5:compile - omitted for conflict with 2.6)
[INFO] |  +- (org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.3:compile - omitted for duplicate)
[INFO] |  +- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.3:compile
[INFO] |  +- com.google.inject:guice:jar:no_aop:4.2.1:compile
[INFO] |  |  +- (javax.inject:javax.inject:jar:1:compile - omitted for duplicate)
[INFO] |  |  +- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  |  \- (com.google.guava:guava:jar:25.1-android:compile - omitted for conflict with 27.1-jre)
[INFO] |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  +- (org.codehaus.plexus:plexus-utils:jar:3.2.0:compile - omitted for duplicate)
[INFO] |  +- (org.codehaus.plexus:plexus-classworlds:jar:2.6.0:compile - omitted for duplicate)
[INFO] |  +- org.codehaus.plexus:plexus-component-annotations:jar:1.7.1:compile
[INFO] |  \- org.apache.commons:commons-lang3:jar:3.8.1:compile
[INFO] \- org.codehaus.plexus:plexus-compiler-api:jar:2.8.5:compile
[INFO]    \- (org.codehaus.plexus:plexus-utils:jar:3.0.22:compile - omitted for conflict with 3.2.0)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.699 s
[INFO] Finished at: 2023-01-30T21:58:37+13:00
[INFO] ------------------------------------------------------------------------

Mark Derricutt

unread,
Jan 30, 2023, 4:12:37 AM1/30/23
to Clojure Maven Plugin
I see it's likely to be a transitive in tools.logging in one of the integration tests.

I'm updating the deps for the plugin as well as the tests ( and changing clojars from http to https - I guess this hasn't been built in a LONG time ).

Carfield Yim

unread,
Feb 14, 2023, 2:03:04 AM2/14/23
to Clojure Maven Plugin
Thanks a lot Mark, just wonder if any update about this?

Carfield Yim

unread,
Feb 14, 2023, 2:03:04 AM2/14/23
to Clojure Maven Plugin
HI Mark, just wonder if any update here?

On Monday, January 30, 2023 at 8:12:37 PM UTC+11 Mark Derricutt wrote:

Mark Derricutt

unread,
Feb 14, 2023, 2:06:34 AM2/14/23
to Clojure Maven Plugin

On 9 Feb 2023, at 11:27, Carfield Yim wrote:

Thanks a lot Mark, just wonder if any update about this?

Haven't a chance yet - we've unfortunately been hit with a rather large national cyclone (Gabrielle) which hasn't really done much for my focus.

That being said, where did you see the log4j references originally? I can't spot them in any dependency trees

Mark


"The ease with which a change can be implemented has no relevance at all to whether it is the right change for the (Java) Platform for all time." — Mark Reinhold.

Mark Derricutt
http://www.chaliceofblood.net
http://www.theoryinpractice.net
http://twitter.com/talios
http://facebook.com/mderricutt

Mark Derricutt

unread,
Feb 14, 2023, 4:35:40 AM2/14/23
to Clojure Maven Plugin

On 9 Feb 2023, at 11:27, Carfield Yim wrote:

Thanks a lot Mark, just wonder if any update about this?

For what it's worth - I just released 1.9.1 with updated dependencies.

I've temporarily disabled the Autodoc IT ( after upgrading it to 1.1.2 ) as it's internally giving an odd bug with expecting Strings and getting Character's passed around internally.

I've been thinking of killing off some of these other goals such as autodoc etc. and leaving just the compile/test tho.

Mark Derricutt

unread,
Feb 14, 2023, 5:03:16 AM2/14/23
to Clojure Maven Plugin

On 14 Feb 2023, at 22:35, Mark Derricutt wrote:

For what it's worth - I just released 1.9.1 with updated dependencies.

Interesting - the Sonatype SBOM report does actually show l...@1.2.12 still being there, even tho the dependency:tree plugin didn't.

So I'm adding both the cyclonedx-maven-plugin and oss-index plugins to the build to try and track this down.

Carfield Yim

unread,
Feb 14, 2023, 3:03:50 PM2/14/23
to clojure-ma...@googlegroups.com
Thanks a lot Mark!
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "Clojure Maven Plugin" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to clojure-maven-pl...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/clojure-maven-plugin/769A63B1-94FA-4CF9-9820-0C216FBCAA24%40talios.com.

Mark Derricutt

unread,
Feb 14, 2023, 3:08:08 PM2/14/23
to clojure-ma...@googlegroups.com

On 15 Feb 2023, at 1:19, Carfield Yim wrote:

Thanks a lot Mark!

And resolved - just released 1.9.2.

The project had a dependency on an OLD, unused earlier version of the maven-toolchains artefact which did include log4j 1.2, however - long ago in the Maven 3.x development process support for toolchains was moved into the core project.

The dependency:tree plugin was showing that the artefact was overridden by core, so never actually checked it for violations - as it's not actually a run-time issue.

Resolved now however - leaving only Guava as listing a violation, but I've listed that as an excluded violation as theres as-yet no updated release.

Mark

Reply all
Reply to author
Forward
0 new messages