HIVE-28164: Remove log4j:log4j transitive dependency #5172
Conversation
asf-ci-hive
added
tests pending
tests unstable
tests passed
and removed
tests pending
tests unstable
labels
|
@zabetak, if you have bandwidth can you please review and provide your inputs on this? |
There was a problem hiding this comment.
If we want to eliminate log4j completely from the project then we should also tune the respective enforcer rules to prevent this from reappearing.
| <dependency> | ||
| <groupId>org.codehaus.plexus</groupId> | ||
| <artifactId>plexus-container-default</artifactId> | ||
| <version>1.5.6</version> |
There was a problem hiding this comment.
Use properties instead of hardcoded versions.
|
Apologies for the late response, Have updated the PR with suggested changes. I have created a new enforcer execution step to search for transitive dependencies of log4j. The scope of this PR is to only exclude log4j. |
Aggarwal-Raghav
force-pushed
the
log4j-removal
branch
from
130bc05
to
d70659b
Compare
asf-ci-hive
added
tests failed
tests pending
and removed
tests pending
tests failed
labels
|
|
@zabetak , can you please help with review? |
standalone-metastore/metastore-tools/metastore-benchmarks/pom.xml
Outdated
Show resolved
Hide resolved
Aggarwal-Raghav
force-pushed
the
log4j-removal
branch
from
d70659b
to
da71f9f
Compare
asf-ci-hive
added
tests pending
tests passed
and removed
tests passed
tests pending
labels
|
@zabetak , can you please re-review it, if you have the bandwidth |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
|
I forgot about this issue. I will take a a look now. |
There was a problem hiding this comment.
@Aggarwal-Raghav I left some small comments and then we can merge this. Let me know if you have time to address them otherwise I can commit the final touches.
|
Thanks @zabetak , for the review. your insights are always appreciated. I will address the review comments :-) |
Aggarwal-Raghav
force-pushed
the
log4j-removal
branch
from
f27701c
to
20fb164
Compare
Aggarwal-Raghav
changed the title
asf-ci-hive
added
tests pending
tests unstable
and removed
tests passed
tests pending
labels
Aggarwal-Raghav
force-pushed
the
log4j-removal
branch
from
20fb164
to
7555901
Compare
asf-ci-hive
added
tests pending
tests unstable
and removed
tests unstable
tests pending
labels
* Bump accumulo version to 1.10.4 * Exclude log4j:log4j from slf4j-log4j12 in standalone-metastore
Aggarwal-Raghav
force-pushed
the
log4j-removal
branch
from
7555901
to
81e8f92
Compare
|
|
@zabetak, have updated the PR, can you please review? |
What changes were proposed in this pull request?
There are dependency like accumulo and slf4j bringing log4j vulnerable jars in dependency tree. There are few dependencies also which don't appear in dependecy tree but are bringing old and vulnerable log4j. This can be observed in local m2 repo cache.
Why are the changes needed?
For CVE's and security reasons.
Does this PR introduce any user-facing change?
NO
Is the change a dependency upgrade?
Yes, here is new dependency tree on 771b003 (master):
dependency_tree.txt
How was this patch tested?
Will see the UT from CI