Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Modeling » TMF (Xtext) » Removing insecure log4j dependency
Removing insecure log4j dependency [message #1855879] Tue, 08 November 2022 18:37 Go to next message
Simon Cockx is currently offline Simon CockxFriend
Messages: 62
Registered: October 2021
Member
Xtext seems to rely on log4j 1.2, which has know security vulnerabilities. Until now, we were using log4j in our own classes too. I am required to get rid of such dependencies.

At a high level, what I've tried is the following:
- use the org.slf4j.apis.log4j as a drop-in replacement of log4j 1.2
- use logback as a slf4j implementation.

Basically, this meant replacing the `org.apache.log4j` bundle with the following bundles in build.properties:
org.slf4j.api,\
org.slf4j.apis.log4j,\
ch.qos.logback.classic,\
ch.qos.logback.core


Running a `mvn clean install` builds without errors, but running a `mvn dependency:tree` still shows the insecure log4j dependency. I've also tried removing org.apache.log4j from the MANIFEST.MF files, but it automatically gets written back in after running `mvn clean install`.

Q1: is there a proper way of getting rid of this dependency?
Q2: where does the `org.apache.log4j` in the MANIFEST.MF files keep coming from? Which maven-plugin is responsible for this? (I'm guessing it's Tycho, but I don't see any documentation on this...)

FYI: I'm trying these things out on the following project/branch: https://github.com/REGnosys/rosetta-dsl/pull/443
Re: Removing insecure log4j dependency [message #1855881 is a reply to message #1855879] Tue, 08 November 2022 18:38 Go to previous messageGo to next message
Christian Dietrich is currently offline Christian DietrichFriend
Messages: 14502
Registered: July 2009
Senior Member
why dont you simply use reload4j which has the fix for the cve
(log4j 1.2.19)
this should happen automatically with current xtext versions


Need professional support for Xtext, Xpand, EMF?
Go to: https://www.itemis.com/en/it-services/methods-and-tools/xtext
Twitter : @chrdietrich
Blog : https://www.dietrich-it.de

[Updated on: Tue, 08 November 2022 18:44]

Report message to a moderator

Re: Removing insecure log4j dependency [message #1855905 is a reply to message #1855881] Wed, 09 November 2022 11:04 Go to previous messageGo to next message
Simon Cockx is currently offline Simon CockxFriend
Messages: 62
Registered: October 2021
Member
I tried it out, but `org.apache.log4j` is still showing up in `mvn dependency:tree "-Dincludes=p2.eclipse-plugin:org.apache.log4j"` and in the security check `mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7`.

We are currently using xtext 2.27.

Maybe I did something wrong? What I did:
- add reload4j to the target platform
- revert my changes to build.properties (i.e., replace the logging frameworks with `org.apache.log4j` again)

I still notice the `org.apache.log4j` popping up in the MANIFEST.MF files, btw, even after I remove them. Not sure how this is happening, or whether this is bad or not.

[Updated on: Wed, 09 November 2022 11:16]

Report message to a moderator

Re: Removing insecure log4j dependency [message #1855918 is a reply to message #1855905] Wed, 09 November 2022 17:47 Go to previous messageGo to next message
Christian Dietrich is currently offline Christian DietrichFriend
Messages: 14502
Registered: July 2009
Senior Member
the reload 4 j bundle name is org.apache.log4j but the version should be 1.2.19

do you maven wise make use of the xtext dev bom.
where in your dependency hierarchy is log4j used?


Need professional support for Xtext, Xpand, EMF?
Go to: https://www.itemis.com/en/it-services/methods-and-tools/xtext
Twitter : @chrdietrich
Blog : https://www.dietrich-it.de

[Updated on: Wed, 09 November 2022 17:48]

Report message to a moderator

Re: Removing insecure log4j dependency [message #1855920 is a reply to message #1855918] Wed, 09 November 2022 19:55 Go to previous message
Christian Dietrich is currently offline Christian DietrichFriend
Messages: 14502
Registered: July 2009
Senior Member
i have the feeling the tool you use simply produces tons of false positives

[ERROR] org.apache.batik.css-1.15.0.v20221018-0736.jar: CVE-2022-41704(7.5), CVE-2022-42890(7.5)
[ERROR] org.apache.log4j-1.2.19.v20220208-1728.jar: CVE-2020-9493(9.8), CVE-2022-23307(8.8)
[ERROR] org.eclipse.core.commands-3.10.200.v20220512-0851.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.contenttype-3.8.200.v20220817-1539.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.databinding-1.11.200.v20221005-0542.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.databinding.beans-1.9.0.v20220921-1419.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.databinding.observable-1.12.0.v20211231-1006.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.databinding.property-1.9.0.v20210619-1129.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.filesystem-1.9.500.v20220817-1539.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.jobs-3.13.200.v20221020-1350.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.runtime-3.26.0.v20220813-0916.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.core.commands-1.0.200.v20220629-1225.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.core.services-2.3.400.v20220915-1347.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.emf.xpath-0.3.0.v20210722-1426.jar: CVE-2022-41852(9.8)
[ERROR] org.eclipse.e4.ui.css.core-0.13.300.v20220809-1237.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.ui.css.swt.theme-0.13.200.v20220906-1345.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.ui.workbench-1.13.200.v20220808-2019.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.ui.workbench.renderers.swt-0.15.700.v20220921-1214.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.ui.workbench3-0.16.0.v20210619-0956.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.emf.mwe2.language-2.14.0.v20221101-1054.jar: CVE-2021-41033(8.1), CVE-2019-10249(8.1)
[ERROR] org.eclipse.emf.mwe2.launch-2.14.0.v20221101-1054.jar: CVE-2019-10249(8.1)
[ERROR] org.eclipse.equinox.app-1.6.200.v20220720-2012.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.bidi-1.4.200.v20220710-1223.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.common-3.17.0.v20221006-0914.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.console-1.4.500.v20211021-1418.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.event-1.6.100.v20211021-1418.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.launcher-1.6.400.v20210924-0641.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.launcher.gtk.linux.x86_64-1.2.600.v20220720-1916.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.preferences-3.10.100.v20220710-1223.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.registry-3.11.200.v20220817-1601.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.simpleconfigurator-1.4.100.v20220620-1617.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.jface-3.28.0.v20221020-0646.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.jface.databinding-1.14.0.v20220921-1419.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.osgi-3.18.200.v20221006-1531.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.text-3.12.300.v20220921-1010.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.update.configurator-3.4.900.v20220718-1722.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.urischeme-1.2.100.v20211001-1648.jar: CVE-2021-41033(8.1), CVE-2020-27225(7.8)
[ERROR] org.eclipse.xtext.logging-1.2.19.v20221109-0720.jar: CVE-2019-10249(8.1)


Need professional support for Xtext, Xpand, EMF?
Go to: https://www.itemis.com/en/it-services/methods-and-tools/xtext
Twitter : @chrdietrich
Blog : https://www.dietrich-it.de
Previous Topic:Load models of imported Ecore in Xtext Language Server
Next Topic:Xtext 2.29.0.M3 is out
Goto Forum:
  


Current Time: Fri Jun 09 22:45:19 GMT 2023

Powered by FUDForum. Page generated in 0.02183 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top