如何从build.sbt中的所有依赖项中排除log4j 1.2.17漏洞
我们正在使用基于Sbt(0.13.11)的Play框架应用程序,如附件中提到的配置,我们希望排除与易受攻击的log4j 1.2.17相关的依赖关系。
name := """xxxx"""
version := "1.0"
lazy val playCommonDI = (project in file("./modules/play-common-di")).enablePlugins(PlayJava)
lazy val libsf = (project in file("libsf"))
lazy val root = (project in file("."))
.enablePlugins(PlayJava, PlayEbean, SbtWeb)
.aggregate(playCommonDI, libsf)
.dependsOn(playCommonDI, libsf)
scalaVersion := "2.11.7"
scalacOptions := Seq("-feature", "-unchecked", "-deprecation", "-encoding", "utf8")
resolvers += Resolver.url("Objectify Play Repository", url("http://deadbolt.ws/releases/"))(Resolver.ivyStylePatterns)
resolvers += "(Plugins) Project Maven Repo" at "file://" + file(".").getCanonicalPath + "/local-repo/maven/"
val junitVersion = "5.4.0"
val apachePOIVersion = "4.1.2"
val apachePOIDependencies = Seq(
"org.apache.poi" % "poi-ooxml" % apachePOIVersion,
"org.apache.poi" % "poi" % apachePOIVersion,
"org.apache.poi" % "poi-ooxml-schemas" % apachePOIVersion
)
libraryDependencies ++= apachePOIDependencies
libraryDependencies ++= Seq(
javaJdbc,
cache,
javaWs,
filters,
// Tests
"org.junit.platform" % "junit-platform-launcher" % "1.4.0" % Test,
"org.junit.jupiter" % "junit-jupiter-engine" % junitVersion % Test,
"org.junit.jupiter" % "junit-jupiter-params" % junitVersion % Test,
"org.junit.jupiter" % "junit-jupiter-api" % junitVersion % Test,
"org.dhatim" % "fastexcel" % "0.12.15",
"com.akamai" % "edgeauth" % "0.2.0",
"org.mockito" % "mockito-core" % "2.23.4" % Test,
"org.mockito" % "mockito-junit-jupiter" % "2.23.4" % Test,
"net.aichler" % "jupiter-interface" % JupiterKeys.jupiterVersion.value % Test,
"org.jacoco" % "org.jacoco.core" % "0.8.3",
"org.testcontainers" % "testcontainers" % "1.9.1" % Test,
"org.testcontainers" % "jdbc" % "1.9.1" % Test,
"org.testcontainers" % "mysql" % "1.9.1" % Test,
"mysql" % "mysql-connector-java" % "5.1.31",
"org.apache.commons" % "commons-lang3" % "3.3.2",
"commons-validator" % "commons-validator" % "1.4.0",
"com.thoughtworks.xstream" % "xstream" % "1.4.4",
"be.objectify" %% "deadbolt-java" % "2.5.6",
"org.ocpsoft.prettytime"%"prettytime"%"3.2.5.Final",
"dom4j" % "dom4j" % "1.6.1",
"net.logstash.logback" % "logstash-logback-encoder" % "4.11",
"org.apache.commons" % "commons-math3" % "3.5",
"org.redisson" % "redisson" % "2.6.0",
"org.atmosphere" % "atmosphere-play" % "2.3.0",
"org.atmosphere" % "wasync" % "2.1.4",
"com.hazelcast" % "hazelcast" % "3.4.2",
"com.hazelcast" % "hazelcast-cloud" % "3.4.2",
"org.elasticsearch" % "elasticsearch" % "1.5.0",
"org.apache.commons" % "commons-exec" % "1.3",
"net.htmlparser.jericho" % "jericho-html" % "3.4",
"org.apache.commons" % "commons-csv" % "1.2",
"com.itextpdf" % "itextpdf" % "5.5.11",
"com.itextpdf.tool" % "xmlworker" % "5.5.11",
"com.hierynomus" % "sshj" % "0.21.1",
"com.onelogin" % "java-saml" % "2.0.1",
"com.rusticisoftware" % "tincan" % "1.1.0",
"com.tokbox" % "opentok-server-sdk" % "4.3.0" excludeAll(
ExclusionRule(organization = "org.asynchttpclient")
),
"org.bitbucket.b_c" % "jose4j" % "0.6.4",
"com.pusher" % "pusher-http-java" % "1.0.0",
"com.typesafe.akka" % "akka-remote_2.11" % "2.4.17",
"org.bouncycastle" % "bcprov-jdk15on" % "1.56",
"org.flywaydb" %% "flyway-play" % "3.2.0",
"org.togglz" % "togglz-core" % "2.6.1.Final",
"org.togglz" % "togglz-console" % "2.6.1.Final",
"org.togglz" % "togglz-testing" % "2.6.1.Final" % Test,
"org.togglz" % "togglz-junit" % "2.6.1.Final" % Test,
"com.twilio.sdk" % "twilio" % "7.32.0",
"com.google.inject.extensions" % "guice-multibindings" % "4.0"
)
dependencyOverrides += "net.bytebuddy" % "byte-buddy" % "1.9.3"
dependencyOverrides += "com.fasterxml.jackson.core" % "jackson-core" % "2.9.9"
dependencyOverrides += "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9.1"
dependencyOverrides += "com.fasterxml.jackson.core" % "jackson-annotations" % "2.9.9"
parallelExecution in Global := false
routesGenerator := InjectedRoutesGenerator
//API Documentation
sources in (Compile, doc) := Seq.empty
publishArtifact in (Compile, packageDoc) := false
//CSS assets
includeFilter in (Assets, LessKeys.less) := "*.less"
excludeFilter in (Assets, LessKeys.less) := "_*.less"
LessKeys.compress in Assets := true
//JSHint
JsEngineKeys.engineType := JsEngineKeys.EngineType.Node
//Digest
pipelineStages := Seq(uglify, digest, gzip)
//Exclude documentation in dist
doc in Compile <<= target.map(_ / "none")
//SBT + Scala + idea support required (2.12?): Keys.javacOptions ++= Seq("-source", "1.8", "-target", "1.8", "-Xlint:unchecked")
Keys.javacOptions += "-Xlint:deprecation"
Keys.javacOptions += "-Xlint:unchecked"
// Enable testes to run in it's own VM
Keys.fork in Test := true
ivyConfiguration ~= { originalIvyConfiguration =>
val config = originalIvyConfiguration.asInstanceOf[InlineIvyConfiguration]
val ivyHome = file(Path.userHome.absolutePath+"/ivy2_sbt-plugin-2.5.14")
val ivyPaths = new IvyPaths(config.paths.baseDirectory, Some(ivyHome))
new InlineIvyConfiguration(ivyPaths, config.resolvers, config.otherResolvers,
config.moduleConfigurations, config.localOnly, config.lock,
config.checksums, config.resolutionCacheDir, config.log)
}
jacocoReportSettings in Test := JacocoReportSettings().withTitle("xxxx Report")字符串
正如在构建文件中提到的,我们试图提到正确的log4j 2.17,似乎默认的log4j 1.2.17没有被新版本的log4j取代。
你能帮帮我们吗?
1条答案
按热度按时间nnvyjq4y1#
排除log4j 1.2的问题是log4j 2并没有取代它。这就是为什么在log4j 2上添加依赖项不起作用。它们是完全不同的库。它们有不同的工件ID(log4j 1.2可以在
log4j:log4j中找到,而log4j 2使用org.apache.logging.log4j:log4j-api),它们使用不同的Java包名称(log4j 1.2使用org.apache.log4j,而log4j 2使用org.apache.logging.log4j)。它们只是碰巧在名称中都有log4j一词,但从构建工具/依赖管理器的Angular 来看,它们没有任何共同之处,所以当你告诉你的构建使用log4j 2时,构建工具并不知道该包与log4j 1有任何关系,并将两者都保留在依赖项中。很明显,它是由你的某个依赖项引入的。如果你排除它,很可能,引入它的依赖项将停止工作,因为当它加载时,它将尝试加载log4j 1.2 API,而这将不在类路径上,因此它将失败,并出现class not found错误。
解决方法是使用reload4j。这提供了log4j 1.2 API的二进制兼容实现,但修复了主要的安全漏洞。
要做到这一点,你需要确定你的哪些依赖于log4j 1.2。你可以使用sbt依赖树插件来做到这一点,关于如何使用这个插件的教程可以在here找到。
然后,从这些依赖项中排除log4j传递依赖项,如此处所述。
最后,您可以将reload 4j作为依赖项添加到项目中。
比这一切更好的是更新你的项目,停止使用非常旧的库版本。最后一个支持sbt 0.13.11的Play版本是Play 2.5,2016年发布。Play 2.6于2017年取代它。Play 2.5支持于2018年完成。您使用的Play版本已不支持超过5年。看看所有这些从那时起在Play中修复的安全漏洞,您可能容易受到攻击,自2018年Play 2.5.x以来报告的许多漏洞都容易受到攻击,只是因为Play 2.5不支持,我们没有列出这些漏洞:
https://www.playframework.com/security/vulnerability的
更不用说你使用的依赖中的所有漏洞了。