-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HIVE-28164: Remove log4j:log4j transitive dependency #5172
Conversation
@zabetak, if you have bandwidth can you please review and provide your inputs on this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we want to eliminate log4j completely from the project then we should also tune the respective enforcer rules to prevent this from reappearing.
<dependency> | ||
<groupId>org.codehaus.plexus</groupId> | ||
<artifactId>plexus-container-default</artifactId> | ||
<version>1.5.6</version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use properties instead of hardcoded versions.
Apologies for the late response, Have updated the PR with suggested changes. I have created a new enforcer execution step to search for transitive dependencies of log4j. The scope of this PR is to only exclude log4j. |
130bc05
to
d70659b
Compare
Quality Gate passedIssues Measures |
@zabetak , can you please help with review? |
standalone-metastore/metastore-tools/metastore-benchmarks/pom.xml
Outdated
Show resolved
Hide resolved
d70659b
to
da71f9f
Compare
@zabetak , can you please re-review it, if you have the bandwidth |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
I forgot about this issue. I will take a a look now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Aggarwal-Raghav I left some small comments and then we can merge this. Let me know if you have time to address them otherwise I can commit the final touches.
Thanks @zabetak , for the review. your insights are always appreciated. I will address the review comments :-) |
f27701c
to
20fb164
Compare
20fb164
to
7555901
Compare
* Bump accumulo version to 1.10.4 * Exclude log4j:log4j from slf4j-log4j12 in standalone-metastore
7555901
to
81e8f92
Compare
Quality Gate passedIssues Measures |
@zabetak, have updated the PR, can you please review? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, will merge soon!
What changes were proposed in this pull request?
There are dependency like accumulo and slf4j bringing log4j vulnerable jars in dependency tree. There are few dependencies also which don't appear in dependecy tree but are bringing old and vulnerable log4j. This can be observed in local m2 repo cache.
Why are the changes needed?
For CVE's and security reasons.
Does this PR introduce any user-facing change?
NO
Is the change a dependency upgrade?
Yes, here is new dependency tree on 771b003 (master):
dependency_tree.txt
How was this patch tested?
Will see the UT from CI