Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Modeling » TMF (Xtext) » Removing insecure log4j dependency
Removing insecure log4j dependency [message #1855879] Tue, 08 November 2022 18:37 Go to next message
Simon Cockx is currently offline Simon CockxFriend
Messages: 69
Registered: October 2021
Member
Xtext seems to rely on log4j 1.2, which has know security vulnerabilities. Until now, we were using log4j in our own classes too. I am required to get rid of such dependencies.

At a high level, what I've tried is the following:
- use the org.slf4j.apis.log4j as a drop-in replacement of log4j 1.2
- use logback as a slf4j implementation.

Basically, this meant replacing the `org.apache.log4j` bundle with the following bundles in build.properties:
org.slf4j.api,\
org.slf4j.apis.log4j,\
ch.qos.logback.classic,\
ch.qos.logback.core


Running a `mvn clean install` builds without errors, but running a `mvn dependency:tree` still shows the insecure log4j dependency. I've also tried removing org.apache.log4j from the MANIFEST.MF files, but it automatically gets written back in after running `mvn clean install`.

Q1: is there a proper way of getting rid of this dependency?
Q2: where does the `org.apache.log4j` in the MANIFEST.MF files keep coming from? Which maven-plugin is responsible for this? (I'm guessing it's Tycho, but I don't see any documentation on this...)

FYI: I'm trying these things out on the following project/branch: https://github.com/REGnosys/rosetta-dsl/pull/443
Re: Removing insecure log4j dependency [message #1855881 is a reply to message #1855879] Tue, 08 November 2022 18:38 Go to previous messageGo to next message
Christian Dietrich is currently offline Christian DietrichFriend
Messages: 14681
Registered: July 2009
Senior Member
why dont you simply use reload4j which has the fix for the cve
(log4j 1.2.19)
this should happen automatically with current xtext versions


Twitter : @chrdietrich
Blog : https://www.dietrich-it.de

[Updated on: Tue, 08 November 2022 18:44]

Report message to a moderator

Re: Removing insecure log4j dependency [message #1855905 is a reply to message #1855881] Wed, 09 November 2022 11:04 Go to previous messageGo to next message
Simon Cockx is currently offline Simon CockxFriend
Messages: 69
Registered: October 2021
Member
I tried it out, but `org.apache.log4j` is still showing up in `mvn dependency:tree "-Dincludes=p2.eclipse-plugin:org.apache.log4j"` and in the security check `mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7`.

We are currently using xtext 2.27.

Maybe I did something wrong? What I did:
- add reload4j to the target platform
- revert my changes to build.properties (i.e., replace the logging frameworks with `org.apache.log4j` again)

I still notice the `org.apache.log4j` popping up in the MANIFEST.MF files, btw, even after I remove them. Not sure how this is happening, or whether this is bad or not.

[Updated on: Wed, 09 November 2022 11:16]

Report message to a moderator

Re: Removing insecure log4j dependency [message #1855918 is a reply to message #1855905] Wed, 09 November 2022 17:47 Go to previous messageGo to next message
Christian Dietrich is currently offline Christian DietrichFriend
Messages: 14681
Registered: July 2009
Senior Member
the reload 4 j bundle name is org.apache.log4j but the version should be 1.2.19

do you maven wise make use of the xtext dev bom.
where in your dependency hierarchy is log4j used?


Twitter : @chrdietrich
Blog : https://www.dietrich-it.de

[Updated on: Wed, 09 November 2022 17:48]

Report message to a moderator

Re: Removing insecure log4j dependency [message #1855920 is a reply to message #1855918] Wed, 09 November 2022 19:55 Go to previous message
Christian Dietrich is currently offline Christian DietrichFriend
Messages: 14681
Registered: July 2009
Senior Member
i have the feeling the tool you use simply produces tons of false positives

[ERROR] org.apache.batik.css-1.15.0.v20221018-0736.jar: CVE-2022-41704(7.5), CVE-2022-42890(7.5)
[ERROR] org.apache.log4j-1.2.19.v20220208-1728.jar: CVE-2020-9493(9.8), CVE-2022-23307(8.8)
[ERROR] org.eclipse.core.commands-3.10.200.v20220512-0851.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.contenttype-3.8.200.v20220817-1539.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.databinding-1.11.200.v20221005-0542.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.databinding.beans-1.9.0.v20220921-1419.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.databinding.observable-1.12.0.v20211231-1006.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.databinding.property-1.9.0.v20210619-1129.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.filesystem-1.9.500.v20220817-1539.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.jobs-3.13.200.v20221020-1350.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.runtime-3.26.0.v20220813-0916.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.core.commands-1.0.200.v20220629-1225.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.core.services-2.3.400.v20220915-1347.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.emf.xpath-0.3.0.v20210722-1426.jar: CVE-2022-41852(9.8)
[ERROR] org.eclipse.e4.ui.css.core-0.13.300.v20220809-1237.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.ui.css.swt.theme-0.13.200.v20220906-1345.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.ui.workbench-1.13.200.v20220808-2019.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.ui.workbench.renderers.swt-0.15.700.v20220921-1214.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.ui.workbench3-0.16.0.v20210619-0956.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.emf.mwe2.language-2.14.0.v20221101-1054.jar: CVE-2021-41033(8.1), CVE-2019-10249(8.1)
[ERROR] org.eclipse.emf.mwe2.launch-2.14.0.v20221101-1054.jar: CVE-2019-10249(8.1)
[ERROR] org.eclipse.equinox.app-1.6.200.v20220720-2012.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.bidi-1.4.200.v20220710-1223.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.common-3.17.0.v20221006-0914.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.console-1.4.500.v20211021-1418.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.event-1.6.100.v20211021-1418.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.launcher-1.6.400.v20210924-0641.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.launcher.gtk.linux.x86_64-1.2.600.v20220720-1916.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.preferences-3.10.100.v20220710-1223.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.registry-3.11.200.v20220817-1601.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.simpleconfigurator-1.4.100.v20220620-1617.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.jface-3.28.0.v20221020-0646.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.jface.databinding-1.14.0.v20220921-1419.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.osgi-3.18.200.v20221006-1531.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.text-3.12.300.v20220921-1010.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.update.configurator-3.4.900.v20220718-1722.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.urischeme-1.2.100.v20211001-1648.jar: CVE-2021-41033(8.1), CVE-2020-27225(7.8)
[ERROR] org.eclipse.xtext.logging-1.2.19.v20221109-0720.jar: CVE-2019-10249(8.1)


Twitter : @chrdietrich
Blog : https://www.dietrich-it.de
Previous Topic:Load models of imported Ecore in Xtext Language Server
Next Topic:Xtext 2.29.0.M3 is out
Goto Forum:
  


Current Time: Thu May 23 07:13:08 GMT 2024

Powered by FUDForum. Page generated in 0.02971 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top