How to get rid of log4j 1.2.17 jar in springboot - spring-boot

I am using spring boot version 2.1.5.Release, am trying to remove log4j 1.2.17 jar tried exclusion logic.inside spring boot starter dependency it's not worked. Could you please help me to fix the log4j issue. I tried upgrade of Spring boot version still I see dependency in my eclipse under maven dependencies..thanks in advance.

Check that you do not have the logging starter for log4j. If not, then in the dependency hierarchy in eclipse, right-click on log4j and it will let you exclude it from whatever is pulling it in as a transitive dependency.

Related

Change ActiveMQ Log4j version

I have a Gradle project that uses activemq-all as a dependency, and within the project I use Log4j that comes with ActiveMQ jar. The latest ActiveMQ version is still using Log4j 1.2.x, and I want to use the latest version of Log4j.
I included Log4j as a separate dependency, but Gradle won't detect it. Any suggestions?
If the program is a client-side only, you should depend on activemq-client instead of activemq-all.
activemq-client depends on slf4j-api, and you can use the slf4j bridge to log4j or log4j2.

How to resolve CVEs in spring-batch-core 4.0.1.RELEASE?

I noticed that I cannot create an issue on the spring-batch github and I could not create a topic on the Spring forum so I was redirected here.
I have this in my pom.xml file as explained on Spring.io's Batch tutorial
<dependency>
<groupId>org.springframework.batch</groupId>
<artifactId>spring-batch-core</artifactId>
<version>4.0.1.RELEASE</version>
</dependency>
And when I run the mvn dependency-check:check I see these issues
spring-tx-5.0.0.RELEASE.jar
CVE-2018-1199 - upgrade spring framework to latest 4.x
spring-batch-core-4.0.1.RELEASE.jar
CVE-2014-0225 - upgrade spring mvc - added it and latest 4.x
CVE-2015-5211 - upgrade springframework 4.x
CVE-2016-5007 - upgrade springframework 4.x
CVE-2014-3578 - upgrade springframework 4.x
CVE-2014-3625 - upgrade springframework 4.x
I ran mvn dependency:build-classpath -Dmdep.outputFile=cp.txt the offending jars above are located in my classpath. Then ran 'mvn dependency:tree` but did not see the offending jars.
mvn dependency:tree 2>&1 | egrep -i 'batch-core|spring-tx'
I tried googling some of the core CVEs which said to upgrade spring-mvc which I don't even have in my project but I explicitly defined it anyway. My spring version is set to the latest 4.x and even upgrading to 5.x still throws the vulnerability because spring-batch-core's latest version is still vulnerable.
Am I doing something wrong in my pom file?
To start, none of those CVEs apply directly to Spring Batch or the spring-batch-core jar file. They are all related to Spring Framework and Spring MVC. Also, every one of those CVEs has been mitigated in the specified patch versions.
If you have confirmed that your POM is bringing in the correct, non-vunlerable, version of Spring Framework, this is a case of a false positive and you'll need to configure whatever tool you're using to address this. If the artifact you are building as a result of the build process includes a vulnerable version of Spring Framework (or related components), then you do have an issue with your POM. We can help, but we need to see the POM in order to do so.

Spring boot maven plugin - transitive dependency not working

As per Spring boot maven plugin docs - http://docs.spring.io/spring-boot/docs/1.5.2.RELEASE/maven-plugin/usage.html,
it will include all "provided" scoped dependencies also.
But for me , it is not happening. When I remover "provided" scope, it works fine and dependencies are included.
Can you let me know how to solve this ?
I have installed maven in a windows box and running it using command prompt (no IDE)

How to include dependent jars of my dependencies in spring boot fat jar

We are using Gradle to build spring boot application.
Our application does not require commons-io. But one of the other dependencies requires commons-io. So we've not added commons-io as dependencies. gradle build worked fine.
But when we run the spring boot using "java -jar my-fat-jar.jar", it throws classNotFound Exception for a commons-io class.
My fat jar does not contain commons-io in its lib folder.
So we just added commons-io as dependencies, now everything works fine.
But we don't want to add each such dependencies. Instead is there any way to include the dependent jars of my dependencies in lib folder of my fat jar?
Please note that we are using spring boot gradle plugin.

Camel 2.16.0 missing components

I upgraded my Fabric8 Spring Boot Camel pom.xml to use Camel 2.16.0 but not all components appear to be available in 2.16.0
I had to leave the following components at 2.15.3 as I get "Missing artifact" for the 2.16.0 versions:
camel-metrics
camel-jsonpath
camel-spring-boot
Are these not available in Camel 2.16.0?
I'm using Fabric8 version 2.2.46 and Spring Boot version 1.2.6.RELEASE.
I needed to delete my local Maven repository and rebuild.
Delete the artifacts (or the full local repo) from c:\Users\username.m2\repository by hand.

Resources