NIFI-9483 This closes #5616. Excluded Log4j 2 log4j-core and related libraries

- Added log4j-core to list of banned dependencies - Added log4j-to-slf4j for Elasticsearch 5 processors to support runtime logging Signed-off-by: Joe Witt <joewitt@apache.org>
2021-12-18 18:23:31 -06:00 · 2021-12-18 18:23:31 -06:00 · 9dd6b5f3e5
parent bda48b3f87
commit 9dd6b5f3e5
9 changed files with 91 additions and 4 deletions
--- a/nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/pom.xml
+++ b/nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/pom.xml
@ -78,6 +78,17 @@
        <dependency>
            <groupId>org.apache.atlas</groupId>
            <artifactId>atlas-notification</artifactId>
+            <exclusions>
+                <!-- Exclude Log4j 2 only referenced in optional FailedMessagesLogger -->
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-api</artifactId>
+                </exclusion>
+            </exclusions>
        </dependency>

        <dependency>
--- a/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
+++ b/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
@ -54,6 +54,29 @@
            <groupId>io.druid</groupId>
            <artifactId>druid-processing</artifactId>
            <version>${druid.version}</version>
+            <exclusions>
+                <!-- Exclude Log4j 2 libraries since Druid common Logger uses SLF4J -->
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-slf4j-impl</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-jul</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-1.2-api</artifactId>
+                </exclusion>
+            </exclusions>
        </dependency>
        <dependency>
            <groupId>com.github.stephenc.findbugs</groupId>
--- a/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
@ -77,13 +77,14 @@ language governing permissions and limitations under the License. -->
            <groupId>org.slf4j</groupId>
            <artifactId>jcl-over-slf4j</artifactId>
        </dependency>
+        <!-- Route Elasticsearch Log4j 2 logging to SLF4J -->
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
-            <artifactId>log4j-core</artifactId>
+            <artifactId>log4j-to-slf4j</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.nifi</groupId>
--- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
@ -99,6 +99,19 @@
                    <groupId>commons-logging</groupId>
                    <artifactId>commons-logging</artifactId>
                </exclusion>
+                <!-- Exclude Log4j 2 since Hive 3 uses SLF4J in component classes -->
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-1.2-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-web</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-slf4j-impl</artifactId>
+                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
@ -111,10 +124,23 @@
                    <groupId>log4j</groupId>
                    <artifactId>log4j</artifactId>
                </exclusion>
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-log4j12</artifactId>
+                </exclusion>
                <exclusion>
                    <groupId>commons-logging</groupId>
                    <artifactId>commons-logging</artifactId>
                </exclusion>
+                <!-- Exclude Log4j 2 since Hive 3 uses SLF4J in component classes -->
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-1.2-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-slf4j-impl</artifactId>
+                </exclusion>
            </exclusions>
        </dependency>

--- a/nifi-nar-bundles/nifi-ignite-bundle/nifi-ignite-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-ignite-bundle/nifi-ignite-processors/pom.xml
@ -48,7 +48,7 @@
        </dependency>
        <dependency>
            <groupId>org.apache.ignite</groupId>
-            <artifactId>ignite-log4j2</artifactId>
+            <artifactId>ignite-slf4j</artifactId>
            <version>1.6.0</version>
            <scope>test</scope>
        </dependency>
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
@ -84,6 +84,15 @@
                    <groupId>commons-logging</groupId>
                    <artifactId>commons-logging</artifactId>
                </exclusion>
+                <!-- Exclude Log4j 2 since Ranger does not include direct references to Log4j Loggers -->
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-core</artifactId>
+                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
--- a/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/pom.xml
@ -123,6 +123,14 @@
                    <groupId>com.fasterxml.jackson.core</groupId>
                    <artifactId>jackson-core</artifactId>
                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-slf4j-impl</artifactId>
+                </exclusion>
            </exclusions>
            <scope>test</scope>
        </dependency>
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/pom.xml
+++ b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/pom.xml
@ -127,6 +127,15 @@
                    <groupId>commons-logging</groupId>
                    <artifactId>commons-logging</artifactId>
                </exclusion>
+                <!-- Exclude Log4j 2 since Ranger does not include direct references to Log4j Loggers -->
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-core</artifactId>
+                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
--- a/pom.xml
+++ b/pom.xml
@ -795,8 +795,8 @@
                                        <exclude>com.google.code.findbugs:jsr305:*:*:compile</exclude>
                                        <!-- Log4J excluded in favor of log4j-over-slf4j and logback -->
                                        <exclude>log4j:log4j:*</exclude>
-                                        <!-- Ban log4j-core less than 2.17.0 due to multiple vulnerability -->
-                                        <exclude>org.apache.logging.log4j:log4j-core:(,2.17.0)</exclude>
+                                        <!-- Log4j 2 log4j-core excluded in favor of log4j-to-slf4j routing to logback -->
+                                        <exclude>org.apache.logging.log4j:log4j-core:*</exclude>
                                        <!-- Commons Logging excluded in favor of jcl-over-slf4j -->
                                        <exclude>commons-logging:commons-logging:*</exclude>
                                    </excludes>