I have a Gradle project that uses activemq-all as a dependency, and within the project I use Log4j that comes with ActiveMQ jar. The latest ActiveMQ version is still using Log4j 1.2.x, and I want to use the latest version of Log4j.
I included Log4j as a separate dependency, but Gradle won't detect it. Any suggestions?
If the program is a client-side only, you should depend on activemq-client instead of activemq-all.
activemq-client depends on slf4j-api, and you can use the slf4j bridge to log4j or log4j2.
Related
I am using spring boot version 2.1.5.Release, am trying to remove log4j 1.2.17 jar tried exclusion logic.inside spring boot starter dependency it's not worked. Could you please help me to fix the log4j issue. I tried upgrade of Spring boot version still I see dependency in my eclipse under maven dependencies..thanks in advance.
Check that you do not have the logging starter for log4j. If not, then in the dependency hierarchy in eclipse, right-click on log4j and it will let you exclude it from whatever is pulling it in as a transitive dependency.
I noticed that I cannot create an issue on the spring-batch github and I could not create a topic on the Spring forum so I was redirected here.
I have this in my pom.xml file as explained on Spring.io's Batch tutorial
<dependency>
<groupId>org.springframework.batch</groupId>
<artifactId>spring-batch-core</artifactId>
<version>4.0.1.RELEASE</version>
</dependency>
And when I run the mvn dependency-check:check I see these issues
spring-tx-5.0.0.RELEASE.jar
CVE-2018-1199 - upgrade spring framework to latest 4.x
spring-batch-core-4.0.1.RELEASE.jar
CVE-2014-0225 - upgrade spring mvc - added it and latest 4.x
CVE-2015-5211 - upgrade springframework 4.x
CVE-2016-5007 - upgrade springframework 4.x
CVE-2014-3578 - upgrade springframework 4.x
CVE-2014-3625 - upgrade springframework 4.x
I ran mvn dependency:build-classpath -Dmdep.outputFile=cp.txt the offending jars above are located in my classpath. Then ran 'mvn dependency:tree` but did not see the offending jars.
mvn dependency:tree 2>&1 | egrep -i 'batch-core|spring-tx'
I tried googling some of the core CVEs which said to upgrade spring-mvc which I don't even have in my project but I explicitly defined it anyway. My spring version is set to the latest 4.x and even upgrading to 5.x still throws the vulnerability because spring-batch-core's latest version is still vulnerable.
Am I doing something wrong in my pom file?
To start, none of those CVEs apply directly to Spring Batch or the spring-batch-core jar file. They are all related to Spring Framework and Spring MVC. Also, every one of those CVEs has been mitigated in the specified patch versions.
If you have confirmed that your POM is bringing in the correct, non-vunlerable, version of Spring Framework, this is a case of a false positive and you'll need to configure whatever tool you're using to address this. If the artifact you are building as a result of the build process includes a vulnerable version of Spring Framework (or related components), then you do have an issue with your POM. We can help, but we need to see the POM in order to do so.
I have a rest service running on dropwizard. Dropwizard requires slf4j to be configured with logback. When launching this service directly from my maven project in eclipse, the service starts up with the proper logback binding. When I do a maven package with the maven shade plugin, however, the resulting jar is still pulling log4j onto the classpath, which is resulting in slf4j choosing org.slf4j.impl.Log4jLoggerFactory instead of the logback binding.
I have made sure to exclude every transitive instance of log4j in my pom, as well as slf4j-log4j12 (mvn dependency:tree shows neither of these in my hierarchy), yet somehow it still always shows up in my uber jar after running mvn clean package.
How can I figure out what is causing log4j to always exist on my classpath?
I upgraded my Fabric8 Spring Boot Camel pom.xml to use Camel 2.16.0 but not all components appear to be available in 2.16.0
I had to leave the following components at 2.15.3 as I get "Missing artifact" for the 2.16.0 versions:
camel-metrics
camel-jsonpath
camel-spring-boot
Are these not available in Camel 2.16.0?
I'm using Fabric8 version 2.2.46 and Spring Boot version 1.2.6.RELEASE.
I needed to delete my local Maven repository and rebuild.
Delete the artifacts (or the full local repo) from c:\Users\username.m2\repository by hand.
I'm trying to build a complete Spring Framework distribution for version 3.2.4.RELEASE without using maven (just the spring jars) and managed to manually get all jars except for spring-asm.
Spring-asm stops at version 3.1.4. Why is that?
I have older spring distributions up to 3.1.1 (those for which you had a zip file, not forced to use maven) and all have the same spring-asm jar inside, with the same version.
Why is there no spring-asm-3.2.4.RELEASE jar?
Here is from release notes for 3.2
we've eliminated the dedicated spring-asm jar in M2 in favor of including org.springframework.asm classes directly in spring-core