Closed danotorrey closed 2 years ago
@danotorrey See: https://github.com/Graylog2/graylog2-server/pull/11814 There is a new Log4j 2 version we might want to upgrade to.
Thanks @bernd. Done.
Note: I presume that the aws-lambda and aws-lambda-log4 dependencies will also be updated to the same 2.16.0
log4j version shortly. We'll want to include those too before merging this. I created an issue to get feedback from their team if this will be done.
Update:
PR changed back to a draft while we wait for the 2.16.0
aws-lamba dependency updated. Testing on this PR can proceed.
The aws-lambda team started working on updating the log4j dependencies to 2.16.0
in https://github.com/aws/aws-lambda-java-libs/pull/290, so I assume that will be released soon. I'll update this PR once again when that is released.
The aws-lambda-java-log4j2
dependency has been updated to 1.4.0
, which uses log4j 2.16.0
.
This PR is ready for review once again.
Updates just made to this PR:
2.1.17
to resolve CVE-2021-44832 (https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832)2.17.1
.Tested successfully for me too. Thanks a lot for setting up the test environment @kingzacko1!
@bernd @malcyon Do either of you have time to take one final look at the dependency updates before merging this? Asking in case you have more familiarity with what versions are ok for the core product.
Overview
Update all out-of-date dependencies for
graylog-s3-lambda
.Motivation
Log4j-related dependencies were recently updated in #26 and #27. And, since many other dependencies are quite out-of-date, I thought now would be a good opportunity to update them.
Details
Note that the import for
S3EventNotification.S3Event
inS3EventProcessor
had to be updated, because the latest version ofaws-lambda-java-events
removed AWS SDK dependencies from itself. So, theS3Event
class must be imported from the new locationcom.amazonaws.services.lambda.runtime.events.models.s3
from theaws-lambda-java-events
dependency.See https://github.com/aws/aws-lambda-java-libs/pull/127 for details.
Testing
I performed a test to ensure that the AWS Lambda function still appears to work with the new dependeny versions. Please also test it yourself as part of the PR review process to help ensure it is working correctly. Use
mvn clean package
to build a testable jar. See the README and RELEASE docs for more details.Test Plan
LOG.info
statements) are successfully delivered to CloudWatch.Change Logs:
aws-lambda-java-core
,aws-lambda-java-events
)https://github.com/aws/aws-lambda-java-libs/blob/master/aws-lambda-java-core/RELEASE.CHANGELOG.mdaws-java-sdk-s3
https://github.com/aws/aws-sdk-java-v2/blob/master/CHANGELOG.mdjackson-core
https://github.com/FasterXML/jackson-core/blob/2.14/release-notes/VERSION-2.xguice
https://github.com/google/guice/releasescommons-lang3
https://commons.apache.org/proper/commons-lang/changes-report.htmlnetty-handler
https://netty.io/news/guava
https://github.com/google/guava/releasesjunit 4
https://github.com/junit-team/junit4/releasesNotes for Reviewers