Reputation: 37
I am trying to fix log4j vulnerabilities and I have updated the existing log4j to the latest log4j-core version.
I tried adding exclusion in the googlecode.owasp dependency but the old version of log4j-1.2.12 is added in the war file. As of now, there is no change in the maven plugin.
Please let me know how to exclude log4j-1.2.12.
maven dependency:tree
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ Invoice ---
[INFO] Bookings:Invoice:war:0.0.1-SNAPSHOT
[INFO] +- Bookings:Miscellaneous:jar:0.0.1-SNAPSHOT:compile
[INFO] | +- org.owasp.esapi:esapi:jar:2.1.0:compile
[INFO] | | +- commons-configuration:commons-configuration:jar:1.5:compile
[INFO] | | | \- commons-digester:commons-digester:jar:1.8:compile
[INFO] | | +- commons-beanutils:commons-beanutils-core:jar:1.7.0:compile
[INFO] | | +- xom:xom:jar:1.2.5:compile
[INFO] | | | \- xalan:xalan:jar:2.7.0:compile
[INFO] | | \- org.beanshell:bsh-core:jar:2.0b4:compile
[INFO] | + xalan:serializer:jar:2.7.1:compile
[INFO] | | \- xml-apis:xml-apis:jar:1.3.04:compile
[INFO] | +- org.owasp.antisamy:antisamy:jar:1.4.4:compile
[INFO] | | +- xerces:xercesImpl:jar:2.8.1:compile
[INFO] | | +- org.apache.xmlgraphics:batik-css:jar:1.7:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-ext:jar:1.7:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-util:jar:1.7:compile
[INFO] | | | \- xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] | | +- net.sourceforge.nekohtml;nekohtml:jar:1.9.12:compile
[INFO] | | \- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] | +- com.mikesamuel:json-sanitizer:jar:1.2.0:compile
[INFO] | +- com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:jar:r156:compile
[INFO] | | +- (version selected from constraint [11.0,))
[INFO] | | | +-
[INFO] | | | +-
[INFO] | | | +- org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] | | | +-
[INFO] | | | \-
[INFO] | | \- (version selected from constraint [1.3.9,))
[INFO] | \- log4j:log4j:jar:1.2.12:compile
Upvotes: 0
Views: 1125
Reputation: 38328
It looks like Bookings:Miscellaneous:jar depends on log4j.
Change the bookings:miscellaneous dependency to something like this:
Then add a dependency to logback. Something like this:
Finally, add the adaptor from log4j to slf4j:
Upvotes: 1