Skip to content

Upgrade aws-lambda-java-log4j2 to 1.5.0 to upgrade log4j2 to 2.17.0 #166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
brtrvn merged 7 commits into from
Jan 5, 2022
Merged

Upgrade aws-lambda-java-log4j2 to 1.5.0 to upgrade log4j2 to 2.17.0 #166

brtrvn merged 7 commits into from
Jan 5, 2022

Conversation

@PoeppingT
Copy link
Contributor

@PoeppingT PoeppingT commented Dec 21, 2021

This commit bumps us up so all transitive dependencies use log4j2 2.17.0 to address the DOS vulnerability in 2.16.0.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@PoeppingT PoeppingT requested a review from brtrvn December 21, 2021 16:41
@PoeppingT PoeppingT self-assigned this Dec 21, 2021
brtrvn
brtrvn reviewed Dec 21, 2021
View reviewed changes
Copy link
Contributor

@brtrvn brtrvn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see log4j-slf4j-impl in the changes? We may be able to remove that dependency and trust aws-lambda-java-log4j2 to pull it in.

@PoeppingT
Copy link
Contributor Author

PoeppingT commented Dec 23, 2021

This new commit standardizes log4j-slf4j-impl, log4j-core, and log4j-api across the whole project and allows log4j-slf4j-impl to bring in its own expected version of the slf4j-api. The current issue with log4j-core and log4j-api is that we have two dependent packages across the project that rely on log4j-core and log4j-api: log4j-slf4j-impl and aws-lambda-java-log4j2. The effect of this PR is to:

  1. standardize the versions of log4j-slf4j-impl and aws-lambda-java-log4j2 across the project.
  2. standardize the versions of log4j-core and log4j-api across the project (independent of the two above)
    This means that any upgrades to either log4j-slf4j-impl or aws-lambda-java-log4j2 should be taken in tandem, assuming that not only are the dependent required log4j-core and log4j-api versions are the same between those two versions but that those packages are upgraded as well.

The essence of this is represented in my added comment to the parent maven pom:

<!-- aws-lambda-java-log4j2 and log4j versions should be upgraded in tandem -->

In the future, if necessary, we can experiment with different versions of slf4j-api. At the moment it's assumed to be unlikely that feature upgrades to that library will be of particular use.

@brtrvn
Copy link
Contributor

brtrvn commented Jan 4, 2022

Do we need to explicitly include log4j-core? Shouldn't log4j-slf4j-impl pull in log4j-core as a transient dependency as needed?
Also, note that until recently, aws-lambda-java-log4j2 has not been updated as frequently as SLF4J or Log4J.

@brtrvn brtrvn merged commit fe3bf7c into awslabs:main Jan 5, 2022
@PoeppingT PoeppingT deleted the upgrade-log4j2 branch July 26, 2022 17:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@brtrvn brtrvn brtrvn left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@PoeppingT PoeppingT

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PoeppingT @brtrvn