search

LodLive / LodView

IRI dereferencer, RDF to HTML
http://lodview.it
MIT License
122 stars 55 forks source link

log4j 1.2.17 in mvn dependency:tree, upgrade Jena version #52

Open KonradHoeffner opened 2 years ago

KonradHoeffner commented 2 years ago

LodView has a transitive dependency on log4j 1.2.17 included from Apache Jena 2.13.0, see below.

According to https://logging.apache.org/log4j/1.2/:

A security vulnerability, CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.

However it is very important to not use a Jena version that depends on Log4j 2 < 2.15.0, as this suffers from an arguably even worse security vulnerability, see https://logging.apache.org/log4j/2.x/index.html. The current latest version depends on log4j2 2.14.1. Thus, this current version should thus not be used:

<dependency>
    <groupId>org.apache.jena</groupId>
    <artifactId>apache-jena-libs</artifactId>
    <version>4.3.0</version>
    <type>pom</type>
</dependency>

However according to https://github.com/apache/jena/commits/jena-4.3.1, this seems to be fixed in Jena 4.3.1. Thus I will not create a pull request just yet and recommend waiting until Jena 4.3.1 is officially released and available on Maven central and then using that if it doesn't break anything.

$ mvn dependency:tree
[...]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ lodview ---
[WARNING] The artifact xml-apis:xml-apis:jar:2.0.2 has been relocated to xml-apis:xml-apis:jar:1.0.b2
[INFO] lodview:lodview:war:1.2.1-SNAPSHOT
[INFO] +- org.apache.jena:apache-jena-libs:pom:2.13.0:compile
[INFO] |  +- org.apache.jena:jena-tdb:jar:1.1.2:compile
[INFO] |  |  +- org.apache.jena:jena-arq:jar:2.13.0:compile
[INFO] |  |  |  +- org.apache.httpcomponents:httpclient:jar:4.2.6:compile
[INFO] |  |  |  |  +- org.apache.httpcomponents:httpcore:jar:4.2.5:compile
[INFO] |  |  |  |  \- commons-codec:commons-codec:jar:1.6:compile
[INFO] |  |  |  +- com.github.jsonld-java:jsonld-java:jar:0.5.1:compile
[INFO] |  |  |  |  +- com.fasterxml.jackson.core:jackson-core:jar:2.3.3:compile
[INFO] |  |  |  |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.3.3:compile
[INFO] |  |  |  |     \- com.fasterxml.jackson.core:jackson-annotations:jar:2.3.0:compile
[INFO] |  |  |  +- org.apache.httpcomponents:httpclient-cache:jar:4.2.6:compile
[INFO] |  |  |  +- org.apache.thrift:libthrift:jar:0.9.2:compile
[INFO] |  |  |  \- org.apache.commons:commons-csv:jar:1.0:compile
[INFO] |  |  \- org.apache.jena:jena-core:jar:2.13.0:compile
[INFO] |  |     +- org.apache.jena:jena-iri:jar:1.1.2:compile
[INFO] |  |     \- xerces:xercesImpl:jar:2.11.0:compile
[INFO] |  |        \- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] |  +- org.slf4j:slf4j-log4j12:jar:1.7.6:compile
[INFO] |  \- log4j:log4j:jar:1.2.17:compile
[INFO] +- org.springframework:spring-context:jar:4.2.4.RELEASE:compile
[INFO] |  +- org.springframework:spring-aop:jar:4.2.4.RELEASE:compile
[INFO] |  |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  +- org.springframework:spring-beans:jar:4.2.4.RELEASE:compile
[INFO] |  +- org.springframework:spring-core:jar:4.2.4.RELEASE:compile
[INFO] |  \- org.springframework:spring-expression:jar:4.2.4.RELEASE:compile
[INFO] +- org.springframework:spring-webmvc:jar:4.2.4.RELEASE:compile
[INFO] |  \- org.springframework:spring-web:jar:4.2.4.RELEASE:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.1:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.1:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.0.7:compile
[INFO] |  \- ch.qos.logback:logback-core:jar:1.0.7:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- javax.servlet.jsp:jsp-api:jar:2.1:provided
[INFO] +- javax.servlet.jsp.jstl:jstl-api:jar:1.2:compile
[INFO] +- org.glassfish.web:jstl-impl:jar:1.2:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.3.1:compile
[INFO] \- org.springframework.boot:spring-boot-starter-integration:jar:1.1.4.RELEASE:compile
[INFO]    +- org.springframework.boot:spring-boot-starter:jar:1.1.4.RELEASE:compile
[INFO]    |  +- org.springframework.boot:spring-boot:jar:1.1.4.RELEASE:compile
[INFO]    |  +- org.springframework.boot:spring-boot-autoconfigure:jar:1.1.4.RELEASE:compile
[INFO]    |  +- org.springframework.boot:spring-boot-starter-logging:jar:1.1.4.RELEASE:compile
[INFO]    |  |  +- org.slf4j:jul-to-slf4j:jar:1.7.7:compile
[INFO]    |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.7:compile
[INFO]    |  \- org.yaml:snakeyaml:jar:1.13:runtime
[INFO]    +- org.springframework.boot:spring-boot-starter-aop:jar:1.1.4.RELEASE:compile
[INFO]    |  +- org.aspectj:aspectjrt:jar:1.8.1:compile
[INFO]    |  \- org.aspectj:aspectjweaver:jar:1.8.1:compile
[INFO]    +- org.springframework:spring-messaging:jar:4.0.6.RELEASE:compile
[INFO]    +- org.springframework:spring-tx:jar:4.0.6.RELEASE:compile
[INFO]    +- org.springframework.integration:spring-integration-core:jar:4.0.2.RELEASE:compile
[INFO]    |  \- org.springframework.retry:spring-retry:jar:1.1.0.RELEASE:compile
[INFO]    +- org.springframework.integration:spring-integration-file:jar:4.0.2.RELEASE:compile
[INFO]    |  \- commons-io:commons-io:jar:2.4:compile
[INFO]    +- org.springframework.integration:spring-integration-http:jar:4.0.2.RELEASE:compile
[INFO]    |  \- net.java.dev.rome:rome-fetcher:jar:1.0.0:compile
[INFO]    |     +- jdom:jdom:jar:1.0:compile
[INFO]    |     +- net.java.dev.rome:rome:jar:1.0.0:compile
[INFO]    |     \- commons-httpclient:commons-httpclient:jar:3.0.1:compile
[INFO]    +- org.springframework.integration:spring-integration-ip:jar:4.0.2.RELEASE:compile
[INFO]    \- org.springframework.integration:spring-integration-stream:jar:4.0.2.RELEASE:compile
[INFO] ------------------------------------------------------------------------
KonradHoeffner commented 2 years ago

Jena 4.3.2 is available now:

<dependency>
    <groupId>org.apache.jena</groupId>
    <artifactId>apache-jena-libs</artifactId>
    <version>4.3.2</version>
    <type>pom</type>
</dependency>

It doesn't list a dependency on log4j anymore:

[...]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ lodview ---
[WARNING] The artifact xml-apis:xml-apis:jar:2.0.2 has been relocated to xml-apis:xml-apis:jar:1.0.b2
[INFO] lodview:lodview:war:1.2.1-SNAPSHOT
[INFO] +- org.apache.jena:apache-jena-libs:pom:4.3.2:compile
[INFO] |  +- org.apache.jena:jena-shacl:jar:4.3.2:compile
[INFO] |  |  \- org.apache.jena:jena-arq:jar:4.3.2:compile
[INFO] |  |     +- org.apache.jena:jena-core:jar:4.3.2:compile
[INFO] |  |     |  +- org.apache.jena:jena-base:jar:4.3.2:compile
[INFO] |  |     |  |  +- org.apache.jena:jena-shaded-guava:jar:4.3.2:compile
[INFO] |  |     |  |  +- org.apache.commons:commons-csv:jar:1.9.0:compile
[INFO] |  |     |  |  +- org.apache.commons:commons-compress:jar:1.21:compile
[INFO] |  |     |  |  \- com.github.andrewoma.dexx:collection:jar:0.7:compile
[INFO] |  |     |  +- org.apache.jena:jena-iri:jar:4.3.2:compile
[INFO] |  |     |  \- commons-cli:commons-cli:jar:1.5.0:compile
[INFO] |  |     +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |  |     |  \- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO] |  |     +- com.github.jsonld-java:jsonld-java:jar:0.13.3:compile
[INFO] |  |     +- com.apicatalog:titanium-json-ld:jar:1.1.0:compile
[INFO] |  |     +- org.glassfish:jakarta.json:jar:2.0.1:compile
[INFO] |  |     +- com.fasterxml.jackson.core:jackson-core:jar:2.13.0:compile
[INFO] |  |     +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.0:compile
[INFO] |  |     |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.0:compile
[INFO] |  |     +- org.apache.httpcomponents:httpclient-cache:jar:4.5.13:compile
[INFO] |  |     +- com.google.protobuf:protobuf-java:jar:3.17.3:compile
[INFO] |  |     \- org.apache.thrift:libthrift:jar:0.15.0:compile
[INFO] |  |        \- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] |  +- org.apache.jena:jena-shex:jar:4.3.2:compile
[INFO] |  +- org.apache.jena:jena-tdb:jar:4.3.2:compile
[INFO] |  +- org.apache.jena:jena-tdb2:jar:4.3.2:compile
[INFO] |  |  \- org.apache.jena:jena-dboe-storage:jar:4.3.2:compile
[INFO] |  |     \- org.apache.jena:jena-dboe-trans-data:jar:4.3.2:compile
[INFO] |  |        +- org.apache.jena:jena-dboe-transaction:jar:4.3.2:compile
[INFO] |  |        |  \- org.apache.jena:jena-dboe-base:jar:4.3.2:compile
[INFO] |  |        \- org.apache.jena:jena-dboe-index:jar:4.3.2:compile
[INFO] |  \- org.apache.jena:jena-rdfconnection:jar:4.3.2:compile
[...]

However this leads to the following errors on mvn compile, it seems as if the code would need to be adapted for usage with the new Jena version.

$ mvn compile
[INFO] Scanning for projects...
[INFO] 
[INFO] --------------------------< lodview:lodview >---------------------------
[INFO] Building lodview 1.2.1-SNAPSHOT
[INFO] --------------------------------[ war ]---------------------------------
[INFO] 
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ lodview ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 8 resources
[INFO] 
[INFO] --- maven-compiler-plugin:2.3.2:compile (default-compile) @ lodview ---
[INFO] Compiling 14 source files to /home/konrad/projekte/java/lodview/target/classes
[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR : 
[INFO] -------------------------------------------------------------
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[12,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[13,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[14,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[15,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[16,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[17,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[18,27] error: package com.hp.hpl.jena.util does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[27,9] error: cannot find symbol
[ERROR]  class OntologyBean
/home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[98,57] error: cannot find symbol
[ERROR]  class OntologyBean
/home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[117,8] error: cannot find symbol
[ERROR]  class OntologyBean
/home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[121,22] error: cannot find symbol
[ERROR]  class OntologyBean
/home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[6,37] error: package org.apache.jena.atlas.web.auth does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[7,37] error: package org.apache.jena.atlas.web.auth does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[14,28] error: package com.hp.hpl.jena.graph does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[15,28] error: package com.hp.hpl.jena.query does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[16,28] error: package com.hp.hpl.jena.query does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[17,28] error: package com.hp.hpl.jena.query does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[18,28] error: package com.hp.hpl.jena.query does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[19,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[20,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[21,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[22,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[23,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/conf/ConfigurationBean.java:[16,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/conf/ConfigurationBean.java:[17,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/conf/ConfigurationBean.java:[18,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/conf/ConfigurationBean.java:[19,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/conf/ConfigurationBean.java:[20,32] error: package com.hp.hpl.jena.rdf.model does not exist
[...]