New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 4.5.2 to address CVE-2021-44228 #1868
Comments
@KengoTODA : the build fails with this error below: any idea?
|
It seems that the Sonatype Nexus (oss.sonatype.org) took a long time to handle our request. The deployment itself has been succeeded. |
Please approve and merge #1871 first |
It seems that Apache Foundation released 2.16.0, I'll check its release note. https://github.com/apache/logging-log4j2/releases/tag/rel%2F2.16.0 |
I assume we could pick this release too. |
checked, thanks. Is it better to release our 4.5.2 with 2.16.0? It is possible for now. |
Please update. |
@KengoTODA : I think we should release maven and gradle plugins ASAP too, once core is released. WDYT? Would you push that? |
log4j is packaged only into the zip/tarball distribution, so Maven/Gradle plugins are not affected by this vulnerability. You can see that runtime dependency of 4.5.1 release does not have log4j2 at: |
refer to #790 |
I'm not sure if the data on maven repository is correct. But you probably mean, there is nothing in spotbugs maven/gradle modules configuration or dependencies, that allows us to disallow use of unsafe log4j version. There is no way to say slf4j to require some specific version of Log4j? I read this on gradle:
|
I mean, SpotBugs core depends on
There is no way. |
The released version contains both 2.15.0 and 2.16.0 jars for log4j. By classpath order log4jcore-2.15 and log4j-api 2.16 are used. While this fixes the CVE, ist should be fixed to reduce the jar size and use consistent versions. |
@clh15683 : good find! @KengoTODA : this happens if one builds incrementally - gradle build seem not to properly cleanup previous data. Not sure how you build the package, but ideally one should run |
The release build does not use cache, so https://github.com/spotbugs/spotbugs/blob/4.5.2/.github/workflows/release.yml We use dependency cache in I'll check the build process itself. The eclipse plugin probably have two or more dependencies on log4j, then dependency constraints could be help. |
It seems that the @iloveeclipse Do we need to include logging framework's API and bindings? More specifically, they are jar files as follows:
I expect that Eclipse itself will provide API and binding in runtime. If so, we can simply exclude these libraries from the target of the |
BTW a permanent solution is removing this task, and it means that we need to resolve dependencies from Maven Central. It's technically possible but I have one blocker, so I posted to Eclipse Community Forum to ask a question at this October. If there is no answer in that forum, I will find another way to download and extract org.eclipse.pde.build. |
Not sure why there are so many versions? The "copy" tasks only copy declared dependencies. I think slf4j-api-1.8.0-beta4.jar is required, but not sure regarding log4j, I have to debug. In any case, everything that is not required to be in the plugin, must be declared as dependency in manifest. |
I believe the direct reason is that this task need to copy dependencies in spotbugs/spotbugs/build.gradle Line 99 in 49fc6f6
I will update this line, and regenerate manifest files for the Eclipse plugin. |
Log4j 2.16 CVSS 7.5 : Fixed in Log4j 2.17 |
@cypher256 : thanks. I've created #1882 |
SpotBugs 4.5.3 has been released, which depends on log4j 2.17.1. |
This change makes it possible to build Eclipse plugins without local Eclipse IDE. It is also possible to use metadata of artifacts (pom.xml) to maintain license, vulnerability, and version of dependencies. close #1868
This change makes it possible to build Eclipse plugins without local Eclipse IDE. It is also possible to use metadata of artifacts (pom.xml) to maintain license, vulnerability, and version of dependencies. close #1868
This change makes it possible to build Eclipse plugins without local Eclipse IDE. It is also possible to use metadata of artifacts (pom.xml) to maintain license, vulnerability, and version of dependencies. close #1868
This change makes it possible to build Eclipse plugins without local Eclipse IDE. It is also possible to use metadata of artifacts (pom.xml) to maintain license, vulnerability, and version of dependencies. close #1868
This change makes it possible to build Eclipse plugins without local Eclipse IDE. It is also possible to use metadata of artifacts (pom.xml) to maintain license, vulnerability, and version of dependencies. close #1868
This change makes it possible to build Eclipse plugins without local Eclipse IDE. It is also possible to use metadata of artifacts (pom.xml) to maintain license, vulnerability, and version of dependencies. close #1868
This change makes it possible to build Eclipse plugins without local Eclipse IDE. It is also possible to use metadata of artifacts (pom.xml) to maintain license, vulnerability, and version of dependencies. close #1868
We should release 4.5.2 version to quickly address CVE-2021-44228.
The PR #1865 is prerequisite.
Note: there is no known exploit using spotbugs possible yet, but since we ship and use log4j in affected version, and there are web services that run spotbugs as a part of the build pipeline, an attacker could manage to craft a pull request that contains the Java code that would somehow manage the bad pattern be part of the message logged by spotbugs.
The text was updated successfully, but these errors were encountered: