如何从 build.sbt 中的所有依赖项中排除 log4j 1.2.17 漏洞
我们正在使用基于 Sbt (0.13.11) 的 Play 框架应用程序,如附件中提到的配置,我们希望排除与易受攻击的 log4j 1.2.17 相关的依赖项。
name := """xxxx"""
version := "1.0"
lazy val playCommonDI = (project in file("./modules/play-common-di")).enablePlugins(PlayJava)
lazy val libsf = (project in file("libsf"))
lazy val root = (project in file("."))
.enablePlugins(PlayJava, PlayEbean, SbtWeb)
.aggregate(playCommonDI, libsf)
.dependsOn(playCommonDI, libsf)
scalaVersion := "2.11.7"
scalacOptions := Seq("-feature", "-unchecked", "-deprecation", "-encoding", "utf8")
resolvers += Resolver.url("Objectify Play Repository", url("http://deadbolt.ws/releases/"))(Resolver.ivyStylePatterns)
resolvers += "(Plugins) Project Maven Repo" at "file://" + file(".").getCanonicalPath + "/local-repo/maven/"
val junitVersion = "5.4.0"
val apachePOIVersion = "4.1.2"
val apachePOIDependencies = Seq(
"org.apache.poi" % "poi-ooxml" % apachePOIVersion,
"org.apache.poi" % "poi" % apachePOIVersion,
"org.apache.poi" % "poi-ooxml-schemas" % apachePOIVersion
)
libraryDependencies ++= apachePOIDependencies
libraryDependencies ++= Seq(
javaJdbc,
cache,
javaWs,
filters,
// Tests
"org.junit.platform" % "junit-platform-launcher" % "1.4.0" % Test,
"org.junit.jupiter" % "junit-jupiter-engine" % junitVersion % Test,
"org.junit.jupiter" % "junit-jupiter-params" % junitVersion % Test,
"org.junit.jupiter" % "junit-jupiter-api" % junitVersion % Test,
"org.dhatim" % "fastexcel" % "0.12.15",
"com.akamai" % "edgeauth" % "0.2.0",
"org.mockito" % "mockito-core" % "2.23.4" % Test,
"org.mockito" % "mockito-junit-jupiter" % "2.23.4" % Test,
"net.aichler" % "jupiter-interface" % JupiterKeys.jupiterVersion.value % Test,
"org.jacoco" % "org.jacoco.core" % "0.8.3",
"org.testcontainers" % "testcontainers" % "1.9.1" % Test,
"org.testcontainers" % "jdbc" % "1.9.1" % Test,
"org.testcontainers" % "mysql" % "1.9.1" % Test,
"mysql" % "mysql-connector-java" % "5.1.31",
"org.apache.commons" % "commons-lang3" % "3.3.2",
"commons-validator" % "commons-validator" % "1.4.0",
"com.thoughtworks.xstream" % "xstream" % "1.4.4",
"be.objectify" %% "deadbolt-java" % "2.5.6",
"org.ocpsoft.prettytime"%"prettytime"%"3.2.5.Final",
"dom4j" % "dom4j" % "1.6.1",
"net.logstash.logback" % "logstash-logback-encoder" % "4.11",
"org.apache.commons" % "commons-math3" % "3.5",
"org.redisson" % "redisson" % "2.6.0",
"org.atmosphere" % "atmosphere-play" % "2.3.0",
"org.atmosphere" % "wasync" % "2.1.4",
"com.hazelcast" % "hazelcast" % "3.4.2",
"com.hazelcast" % "hazelcast-cloud" % "3.4.2",
"org.elasticsearch" % "elasticsearch" % "1.5.0",
"org.apache.commons" % "commons-exec" % "1.3",
"net.htmlparser.jericho" % "jericho-html" % "3.4",
"org.apache.commons" % "commons-csv" % "1.2",
"com.itextpdf" % "itextpdf" % "5.5.11",
"com.itextpdf.tool" % "xmlworker" % "5.5.11",
"com.hierynomus" % "sshj" % "0.21.1",
"com.onelogin" % "java-saml" % "2.0.1",
"com.rusticisoftware" % "tincan" % "1.1.0",
"com.tokbox" % "opentok-server-sdk" % "4.3.0" excludeAll(
ExclusionRule(organization = "org.asynchttpclient")
),
"org.bitbucket.b_c" % "jose4j" % "0.6.4",
"com.pusher" % "pusher-http-java" % "1.0.0",
"com.typesafe.akka" % "akka-remote_2.11" % "2.4.17",
"org.bouncycastle" % "bcprov-jdk15on" % "1.56",
"org.flywaydb" %% "flyway-play" % "3.2.0",
"org.togglz" % "togglz-core" % "2.6.1.Final",
"org.togglz" % "togglz-console" % "2.6.1.Final",
"org.togglz" % "togglz-testing" % "2.6.1.Final" % Test,
"org.togglz" % "togglz-junit" % "2.6.1.Final" % Test,
"com.twilio.sdk" % "twilio" % "7.32.0",
"com.google.inject.extensions" % "guice-multibindings" % "4.0"
)
dependencyOverrides += "net.bytebuddy" % "byte-buddy" % "1.9.3"
dependencyOverrides += "com.fasterxml.jackson.core" % "jackson-core" % "2.9.9"
dependencyOverrides += "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9.1"
dependencyOverrides += "com.fasterxml.jackson.core" % "jackson-annotations" % "2.9.9"
parallelExecution in Global := false
routesGenerator := InjectedRoutesGenerator
//API Documentation
sources in (Compile, doc) := Seq.empty
publishArtifact in (Compile, packageDoc) := false
//CSS assets
includeFilter in (Assets, LessKeys.less) := "*.less"
excludeFilter in (Assets, LessKeys.less) := "_*.less"
LessKeys.compress in Assets := true
//JSHint
JsEngineKeys.engineType := JsEngineKeys.EngineType.Node
//Digest
pipelineStages := Seq(uglify, digest, gzip)
//Exclude documentation in dist
doc in Compile <<= target.map(_ / "none")
//SBT + Scala + idea support required (2.12?): Keys.javacOptions ++= Seq("-source", "1.8", "-target", "1.8", "-Xlint:unchecked")
Keys.javacOptions += "-Xlint:deprecation"
Keys.javacOptions += "-Xlint:unchecked"
// Enable testes to run in it's own VM
Keys.fork in Test := true
ivyConfiguration ~= { originalIvyConfiguration =>
val config = originalIvyConfiguration.asInstanceOf[InlineIvyConfiguration]
val ivyHome = file(Path.userHome.absolutePath+"/ivy2_sbt-plugin-2.5.14")
val ivyPaths = new IvyPaths(config.paths.baseDirectory, Some(ivyHome))
new InlineIvyConfiguration(ivyPaths, config.resolvers, config.otherResolvers,
config.moduleConfigurations, config.localOnly, config.lock,
config.checksums, config.resolutionCacheDir, config.log)
}
jacocoReportSettings in Test := JacocoReportSettings().withTitle("xxxx Report")
正如构建文件中提到的,我们试图提及正确的 log4j 2.17,似乎默认的 log4j 1.2.17 没有被新版本的 log4j 取代。
您能帮我们解决这个问题吗?
排除 log4j 1.2 的问题是 log4j2 不会取代它。它们是完全不同的库,具有不同的包名称。它显然是由您的依赖项之一引入的。如果排除它,很可能引入它的依赖项将停止工作,因为当它加载时,它将尝试加载 log4j 1.2 API,该 API 不会位于类路径上,因此它会因类而失败没有发现错误。
解决方法是使用reload4j。这提供了 log4j 1.2 API 的二进制兼容实现,但修复了主要安全漏洞。
为此,您需要确定哪些依赖项依赖于 log4j 1.2。您可以使用 sbt 依赖树插件来完成此操作,可以在here找到有关如何使用此插件的教程。
然后,从这些依赖项传递依赖项中排除 log4j,如 此处记录。
最后,您可以将 reload4j 作为依赖项添加到您的项目中。