Fix log4j dependencies considering the CVE-2021-44228 vulnerability in Qanary components

[anbo-de]

Context

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228 is a critical vulnerability. We need to update the Qanary components.

I suggest use the following process:

1. git clone git@github.com:WDAqua/Qanary.git
2. Build and install: mvn clean install -Ddockerfile.skip=true
3. git clone git@github.com:WDAqua/Qanary-question-answering-components.git
4. update pom.xml according to the changes done for the DBpedia NED Spotlight component
   • update the version of the component (increase patch level +1)
   • update the Qanary dependency: <qanary.version>[2.1.1,3.0.0)</qanary.version>
   • add new safe dependency to log4j:

     <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-to-slf4j</artifactId>
         <version>[2.15.0,3.)</version>
                 <exclusions>
                     <exclusion>
                         <groupId>org.apache.logging.log4j</groupId>
                         <artifactId>log4j-api</artifactId>
                     </exclusion>
                 </exclusions>
     </dependency>       

   • check which dependencies refer to a vulnerable log4j version
   • use mvn dependency:tree to see all dependencies (search for log4j)
   • for the identified dependencies, add exclude rules to the pom.xml (like here)

         <exclusions>
             <exclusion>
                 <groupId>org.slf4j</groupId>
                 <artifactId>slf4j-log4j12</artifactId>
             </exclusion>
             <exclusion>
                 <groupId>org.apache.logging.log4j</groupId>
                 <artifactId>log4j-to-slf4j</artifactId>
             </exclusion>
             <exclusion>
                 <groupId>org.apache.logging.log4j</groupId>
                 <artifactId>log4j-api</artifactId>
             </exclusion>
             <exclusion>
                 <groupId>log4j</groupId>
                 <artifactId>log4j</artifactId>
             </exclusion>
             <exclusion>
                 <groupId>org.slf4j</groupId>
                 <artifactId>slf4j-log4j12</artifactId>
             </exclusion>
         </exclusions>           

   • run mvn dependency:tree | grep 'log4j'
   • it should show only log4j with version 2.15.0 or higher
5. Please commit with a commit message referring to the Qanary component and the CVE, e.g.:
   • $QanaryComponentName$: fix of critical log4j bug (CVE-2021-44228) #120

Definition of Done (DoD)

• [x] qanary_component-ASR-kaldi: log4j dependencies were updated
• [x] qanary_component-CLS-CLSNLIOD: log4j dependencies were updated
• [x] qanary_component-LD-Shuyo: log4j dependencies were updated
• [x] qanary_component-NED-AGDISTIS: log4j dependencies were updated
• [x] qanary_component-NED-Ambiverse: log4j dependencies were updated
• [x] qanary_component-NED-Aylien: log4j dependencies were updated
• [x] qanary_component-NED-Babelfy: log4j dependencies were updated
• [x] qanary_component-NED-Dandelion: log4j dependencies were updated
• [x] qanary_component-NED-DBpedia-Spotlight: log4j dependencies were updated
• [x] qanary_component-NED-MeaningCloud: log4j dependencies were updated
• [x] qanary_component-NED-Ontotext: log4j dependencies were updated
• [x] qanary_component-ned-opentapioca: log4j dependencies were updated
• [x] qanary_component-NED-tagme: log4j dependencies were updated
• [x] qanary_component-NER-ambiverse: log4j dependencies were updated
• [x] qanary_component-NER-Aylien: log4j dependencies were updated
• [x] qanary_component-NER-Babelfy: log4j dependencies were updated
• [x] qanary_component-NER-ComicCharacterNameSimpleNamedEntityRecog: log4j dependencies were updated
• [x] qanary_component-NERD-Alchemy: log4j dependencies were updated
• [x] qanary_component-NER-Dandelion: log4j dependencies were updated
• [x] qanary_component-NER-DBpedia-Spotlight: log4j dependencies were updated
• [x] qanary_component-NERD-Lucene-Linker: log4j dependencies were updated
• [x] qanary_component-NER-EntityClassifier: log4j dependencies were updated
• [x] qanary_component-NER-EntityClassifier2: log4j dependencies were updated
• [x] qanary_component-NER-FOX: log4j dependencies were updated
• [x] qanary_component-NER-MeaningCloud: log4j dependencies were updated
• [x] qanary_component-NER-Ontotext: log4j dependencies were updated
• [x] qanary_component-NER-stanford: log4j dependencies were updated
• [x] qanary_component-NER-tagme: log4j dependencies were updated
• [x] qanary_component-NER-TextRazor: log4j dependencies were updated
• [x] qanary_component-Python-MT-Helsinki-NLP: log4j dependencies were updated
• [x] qanary_component-Python-QA-Interface: log4j dependencies were updated
• [x] qanary_component-Python-QC-EAT-classifier: log4j dependencies were updated
• [x] qanary_component-qb-birthdata-wikidata: log4j dependencies were updated
• [x] qanary_component-QB-ComicCharacterAlterEgoSimpleDBpediaQueryBuilder: log4j dependencies were updated
• [x] qanary_component-QBE-QAnswer: log4j dependencies were updated
• [x] qanary_component-QB-SimpleRealNameOfSuperHero: log4j dependencies were updated
• [x] qanary_component-QB-Sina: log4j dependencies were updated
• [x] qanary_component-QC-EAT-classifier: log4j dependencies were updated
• [x] qanary_component-QE-SparqlExecuter: log4j dependencies were updated
• [x] qanary_component-qe-wikidata: log4j dependencies were updated
• [x] qanary_component-REL-RelationLinker1: log4j dependencies were updated
• [x] qanary_component-REL-RelationLinker2: log4j dependencies were updated
• [x] qanary_component-REL-RELNLIOD: log4j dependencies were updated
• [x] qanary_component-REL-ReMatch: log4j dependencies were updated
• [x] qanary_component-smaph-erd: log4j dependencies were updated
• [x] qanary_component-TGMM: log4j dependencies were updated
• [x] qanary_docker-compose-writer: log4j dependencies were updated
• [x] qanary_monolitic-wrapper: log4j dependencies were updated
• [x] qa.qanary_component-AnnotationofSpotClass-tgm: log4j dependencies were updated
• [x] qa.qanary_component-AnnotationofSpotProperty-tgm: log4j dependencies were updated
• [x] qa.qanary_component-DiambiguationClass-OKBQA: log4j dependencies were updated
• [x] qa.qanary_component-DiambiguationProperty-OKBQA: log4j dependencies were updated
• [x] qa.qanary_component-QueryBuilder: log4j dependencies were updated

[Wutras]

Unpushed commits from local repository that will be pushed once I have the correct access rights: 436afd3 (HEAD -> master) monolithic-wrapper: fix of critical log4j bug (CVE-2021-44228) #120 b19778b smaph-erd: fix of critical log4j bug (CVE-2021-44228) #120 99911a7 REL-ReMatch: fix of critical log4j bug (CVE-2021-44228) #120 c407cd8 REL-RELNLIOD: fix of critical log4j bug (CVE-2021-44228) #120 3e43d58 REL-RelationLinker2: fix of critical log4j bug (CVE-2021-44228) #120 7c8f92f REL-RelationLinker1: fix of critical log4j bug (CVE-2021-44228) #120 1eb5442 qe-wikidata: fix of critical log4j bug (CVE-2021-44228) #120 534518a QE-SparqlExecuter: fix of critical log4j bug (CVE-2021-44228) #120 d110b73 QBE-QAnswer: fix of critical log4j bug (CVE-2021-44228) #120 aa8fcb9 qanary_component-QB-Sina: fix of critical log4j bug (CVE-2021-44228) #120 173fc8c qanary_component-QB-SimpleRealNameOfSuperHero: fix of critical log4j bug (CVE-2021-44228) #120 8f88a2e qanary_component-QB-ComicCharacterAlterEgoSimpleDBpediaQueryBuilder: fix of critical log4j bug (CVE-2021-44228) #120 d3bf7fd qanary_component-qb-birthdata-wikidata: fix of critical log4j bug (CVE-2021-44228) #120

[anbo-de]

Done in really short time. Thank you all for your contributions.