pom.xml 文件中的 log4j 排除
log4j exclusion from the pom.xml file
我正在尝试修复 log4j 漏洞,并且我已将现有的 log4j 更新为最新的 log4j-core 版本。
我尝试在 googlecode.owasp 依赖项中添加排除项,但在 war 文件中添加了旧版本的 log4j-1.2.12。截至目前,maven插件没有任何变化。
请告诉我如何排除log4j-1.2.12。
maven dependency:tree
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ Invoice ---
[INFO] Bookings:Invoice:war:0.0.1-SNAPSHOT
[INFO] +- Bookings:Miscellaneous:jar:0.0.1-SNAPSHOT:compile
[INFO] | +- org.owasp.esapi:esapi:jar:2.1.0:compile
[INFO] | | +- commons-configuration:commons-configuration:jar:1.5:compile
[INFO] | | | \- commons-digester:commons-digester:jar:1.8:compile
[INFO] | | +- commons-beanutils:commons-beanutils-core:jar:1.7.0:compile
[INFO] | | +- xom:xom:jar:1.2.5:compile
[INFO] | | | \- xalan:xalan:jar:2.7.0:compile
[INFO] | | \- org.beanshell:bsh-core:jar:2.0b4:compile
[INFO] | + xalan:serializer:jar:2.7.1:compile
[INFO] | | \- xml-apis:xml-apis:jar:1.3.04:compile
[INFO] | +- org.owasp.antisamy:antisamy:jar:1.4.4:compile
[INFO] | | +- xerces:xercesImpl:jar:2.8.1:compile
[INFO] | | +- org.apache.xmlgraphics:batik-css:jar:1.7:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-ext:jar:1.7:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-util:jar:1.7:compile
[INFO] | | | \- xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] | | +- net.sourceforge.nekohtml;nekohtml:jar:1.9.12:compile
[INFO] | | \- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] | +- com.mikesamuel:json-sanitizer:jar:1.2.0:compile
[INFO] | +- com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:jar:r156:compile
[INFO] | | +- com.google.guava:guava:jar:31.1-jre:compile (version selected from constraint [11.0,))
[INFO] | | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | | +- org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] | | | +- com.google.errorprone:error_prone_annotations:jar:2.11.0:compile
[INFO] | | | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] | | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (version selected from constraint [1.3.9,))
[INFO] | \- log4j:log4j:jar:1.2.12:compile
看起来Bookings:Miscellaneous:jar依赖于log4j。
将 bookings:miscellaneous 依赖项更改为如下内容:
<dependency>
<groupId>Bookings</groupId>
<artifactId>Miscellaneous</artifactId>
<version>0.0.1-SNAPSHOT</version>
<exclusions>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>
然后给logback添加一个依赖。
像这样:
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>{someversion-your-choise}</version>
</dependency>
最后,
将适配器从 log4j 添加到 slf4j:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-to-slf4j</artifactId>
<version>{someversion-your-choise}</version>
</dependency>
我正在尝试修复 log4j 漏洞,并且我已将现有的 log4j 更新为最新的 log4j-core 版本。
我尝试在 googlecode.owasp 依赖项中添加排除项,但在 war 文件中添加了旧版本的 log4j-1.2.12。截至目前,maven插件没有任何变化。
请告诉我如何排除log4j-1.2.12。
maven dependency:tree
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ Invoice ---
[INFO] Bookings:Invoice:war:0.0.1-SNAPSHOT
[INFO] +- Bookings:Miscellaneous:jar:0.0.1-SNAPSHOT:compile
[INFO] | +- org.owasp.esapi:esapi:jar:2.1.0:compile
[INFO] | | +- commons-configuration:commons-configuration:jar:1.5:compile
[INFO] | | | \- commons-digester:commons-digester:jar:1.8:compile
[INFO] | | +- commons-beanutils:commons-beanutils-core:jar:1.7.0:compile
[INFO] | | +- xom:xom:jar:1.2.5:compile
[INFO] | | | \- xalan:xalan:jar:2.7.0:compile
[INFO] | | \- org.beanshell:bsh-core:jar:2.0b4:compile
[INFO] | + xalan:serializer:jar:2.7.1:compile
[INFO] | | \- xml-apis:xml-apis:jar:1.3.04:compile
[INFO] | +- org.owasp.antisamy:antisamy:jar:1.4.4:compile
[INFO] | | +- xerces:xercesImpl:jar:2.8.1:compile
[INFO] | | +- org.apache.xmlgraphics:batik-css:jar:1.7:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-ext:jar:1.7:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-util:jar:1.7:compile
[INFO] | | | \- xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] | | +- net.sourceforge.nekohtml;nekohtml:jar:1.9.12:compile
[INFO] | | \- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] | +- com.mikesamuel:json-sanitizer:jar:1.2.0:compile
[INFO] | +- com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:jar:r156:compile
[INFO] | | +- com.google.guava:guava:jar:31.1-jre:compile (version selected from constraint [11.0,))
[INFO] | | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | | +- org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] | | | +- com.google.errorprone:error_prone_annotations:jar:2.11.0:compile
[INFO] | | | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] | | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (version selected from constraint [1.3.9,))
[INFO] | \- log4j:log4j:jar:1.2.12:compile
看起来Bookings:Miscellaneous:jar依赖于log4j。
将 bookings:miscellaneous 依赖项更改为如下内容:
<dependency>
<groupId>Bookings</groupId>
<artifactId>Miscellaneous</artifactId>
<version>0.0.1-SNAPSHOT</version>
<exclusions>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>
然后给logback添加一个依赖。 像这样:
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>{someversion-your-choise}</version>
</dependency>
最后, 将适配器从 log4j 添加到 slf4j:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-to-slf4j</artifactId>
<version>{someversion-your-choise}</version>
</dependency>