| Removing insecure log4j dependency [message #1855879] |
Tue, 08 November 2022 18:37  |
 Simon Cockx
Messages: 62
Registered: October 2021 |
Member |
|
|
Xtext seems to rely on log4j 1.2, which has know security vulnerabilities. Until now, we were using log4j in our own classes too. I am required to get rid of such dependencies.
At a high level, what I've tried is the following:
- use the org.slf4j.apis.log4j as a drop-in replacement of log4j 1.2
- use logback as a slf4j implementation.
Basically, this meant replacing the `org.apache.log4j` bundle with the following bundles in build.properties:
org.slf4j.api,\
org.slf4j.apis.log4j,\
ch.qos.logback.classic,\
ch.qos.logback.core
Running a `mvn clean install` builds without errors, but running a `mvn dependency:tree` still shows the insecure log4j dependency. I've also tried removing org.apache.log4j from the MANIFEST.MF files, but it automatically gets written back in after running `mvn clean install`.
Q1: is there a proper way of getting rid of this dependency?
Q2: where does the `org.apache.log4j` in the MANIFEST.MF files keep coming from? Which maven-plugin is responsible for this? (I'm guessing it's Tycho, but I don't see any documentation on this...)
FYI: I'm trying these things out on the following project/branch: https://github.com/REGnosys/rosetta-dsl/pull/443
|
|
|
|
| Re: Removing insecure log4j dependency [message #1855905 is a reply to message #1855881] |
Wed, 09 November 2022 11:04  |
Simon Cockx
Messages: 62
Registered: October 2021 |
Member |
|
|
I tried it out, but `org.apache.log4j` is still showing up in `mvn dependency:tree "-Dincludes=p2.eclipse-plugin:org.apache.log4j"` and in the security check `mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7`.
We are currently using xtext 2.27.
Maybe I did something wrong? What I did:
- add reload4j to the target platform
- revert my changes to build.properties (i.e., replace the logging frameworks with `org.apache.log4j` again)
I still notice the `org.apache.log4j` popping up in the MANIFEST.MF files, btw, even after I remove them. Not sure how this is happening, or whether this is bad or not.
[Updated on: Wed, 09 November 2022 11:16] Report message to a moderator |
|
|
|
| Re: Removing insecure log4j dependency [message #1855920 is a reply to message #1855918] |
Wed, 09 November 2022 19:55 |
|
i have the feeling the tool you use simply produces tons of false positives
[ERROR] org.apache.batik.css-1.15.0.v20221018-0736.jar: CVE-2022-41704(7.5), CVE-2022-42890(7.5)
[ERROR] org.apache.log4j-1.2.19.v20220208-1728.jar: CVE-2020-9493(9.8), CVE-2022-23307(8.8)
[ERROR] org.eclipse.core.commands-3.10.200.v20220512-0851.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.contenttype-3.8.200.v20220817-1539.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.databinding-1.11.200.v20221005-0542.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.databinding.beans-1.9.0.v20220921-1419.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.databinding.observable-1.12.0.v20211231-1006.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.databinding.property-1.9.0.v20210619-1129.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.filesystem-1.9.500.v20220817-1539.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.jobs-3.13.200.v20221020-1350.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.core.runtime-3.26.0.v20220813-0916.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.core.commands-1.0.200.v20220629-1225.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.core.services-2.3.400.v20220915-1347.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.emf.xpath-0.3.0.v20210722-1426.jar: CVE-2022-41852(9.8)
[ERROR] org.eclipse.e4.ui.css.core-0.13.300.v20220809-1237.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.ui.css.swt.theme-0.13.200.v20220906-1345.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.ui.workbench-1.13.200.v20220808-2019.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.ui.workbench.renderers.swt-0.15.700.v20220921-1214.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.e4.ui.workbench3-0.16.0.v20210619-0956.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.emf.mwe2.language-2.14.0.v20221101-1054.jar: CVE-2021-41033(8.1), CVE-2019-10249(8.1)
[ERROR] org.eclipse.emf.mwe2.launch-2.14.0.v20221101-1054.jar: CVE-2019-10249(8.1)
[ERROR] org.eclipse.equinox.app-1.6.200.v20220720-2012.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.bidi-1.4.200.v20220710-1223.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.common-3.17.0.v20221006-0914.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.console-1.4.500.v20211021-1418.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.event-1.6.100.v20211021-1418.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.launcher-1.6.400.v20210924-0641.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.launcher.gtk.linux.x86_64-1.2.600.v20220720-1916.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.preferences-3.10.100.v20220710-1223.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.registry-3.11.200.v20220817-1601.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.equinox.simpleconfigurator-1.4.100.v20220620-1617.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.jface-3.28.0.v20221020-0646.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.jface.databinding-1.14.0.v20220921-1419.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.osgi-3.18.200.v20221006-1531.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.text-3.12.300.v20220921-1010.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.update.configurator-3.4.900.v20220718-1722.jar: CVE-2021-41033(8.1)
[ERROR] org.eclipse.urischeme-1.2.100.v20211001-1648.jar: CVE-2021-41033(8.1), CVE-2020-27225(7.8)
[ERROR] org.eclipse.xtext.logging-1.2.19.v20221109-0720.jar: CVE-2019-10249(8.1)
Need professional support for Xtext, Xpand, EMF?
Go to: https://www.itemis.com/en/it-services/methods-and-tools/xtext
Twitter : @chrdietrich
Blog : https://www.dietrich-it.de
|
|
|
Powered by
FUDForum. Page generated in 0.02183 seconds
] 
Search
Help
Register
Login
Home
