Update dependencies (including log4j to 2.17.1)

[danotorrey]

Overview

Update all out-of-date dependencies for graylog-s3-lambda.

Motivation

Log4j-related dependencies were recently updated in #26 and #27. And, since many other dependencies are quite out-of-date, I thought now would be a good opportunity to update them.

Details

Note that the import for S3EventNotification.S3Event in S3EventProcessor had to be updated, because the latest version of aws-lambda-java-events removed AWS SDK dependencies from itself. So, the S3Event class must be imported from the new location com.amazonaws.services.lambda.runtime.events.models.s3 from the aws-lambda-java-events dependency.

See https://github.com/aws/aws-lambda-java-libs/pull/127 for details.

Testing

I performed a test to ensure that the AWS Lambda function still appears to work with the new dependeny versions. Please also test it yourself as part of the PR review process to help ensure it is working correctly. Use mvn clean package to build a testable jar. See the README and RELEASE docs for more details.

Test Plan

• Create a test S3 bucket.
• Create/configure the Lambda function and link up the bucket.
• Compile and upload the jar file to the lambda function.
• Establish a running Graylog instance to which logs can be sent to (with a listening TCP GELF input)
• Use the TestDataGenerator to publish logs files to the S3 bucket.
• Verify that logs are successfully received within Graylog.
• Verify that the application logs (from code LOG.info statements) are successfully delivered to CloudWatch.

Change Logs:

• AWS Logger Core (aws-lambda-java-core, aws-lambda-java-events)https://github.com/aws/aws-lambda-java-libs/blob/master/aws-lambda-java-core/RELEASE.CHANGELOG.md
• aws-java-sdk-s3 https://github.com/aws/aws-sdk-java-v2/blob/master/CHANGELOG.md
• jackson-core https://github.com/FasterXML/jackson-core/blob/2.14/release-notes/VERSION-2.x
• guice https://github.com/google/guice/releases
• commons-lang3 https://commons.apache.org/proper/commons-lang/changes-report.html
• netty-handler https://netty.io/news/
• guava https://github.com/google/guava/releases
• junit 4 https://github.com/junit-team/junit4/releases

Notes for Reviewers

• [ ] The commit history must be preserved - please use the rebase-merge or standard merge option instead of squash-merge
• [ ] Sync up with the author before merging

[bernd]

@danotorrey See: https://github.com/Graylog2/graylog2-server/pull/11814 There is a new Log4j 2 version we might want to upgrade to.

[danotorrey]

Thanks @bernd. Done.

Note: I presume that the aws-lambda and aws-lambda-log4 dependencies will also be updated to the same 2.16.0 log4j version shortly. We'll want to include those too before merging this. I created an issue to get feedback from their team if this will be done.

Update: PR changed back to a draft while we wait for the 2.16.0 aws-lamba dependency updated. Testing on this PR can proceed.

[danotorrey]

The aws-lambda team started working on updating the log4j dependencies to 2.16.0 in https://github.com/aws/aws-lambda-java-libs/pull/290, so I assume that will be released soon. I'll update this PR once again when that is released.

[danotorrey]

The aws-lambda-java-log4j2 dependency has been updated to 1.4.0, which uses log4j 2.16.0.

This PR is ready for review once again.

[danotorrey]

Updates just made to this PR:

• log4j version updated to 2.1.17 to resolve CVE-2021-44832 (https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832)
• The AWS lambda log4j library aws-lambda-java-log4j2 was updated to the latest version including log4j 2.17.1.
• The latest master changes have been merged in including various updates to the POM file.

[danotorrey]

Tested successfully for me too. Thanks a lot for setting up the test environment @kingzacko1!

[danotorrey]

@bernd @malcyon Do either of you have time to take one final look at the dependency updates before merging this? Asking in case you have more familiarity with what versions are ok for the core product.