Closed yaauie closed 2 years ago
Observe that log4j-core
only appears in test:
------------------------------------------------------------
Root project
------------------------------------------------------------
apiElements - API elements for main. (n)
No dependencies
archives - Configuration for archive artifacts.
No dependencies
compile - Dependencies for source set 'main' (deprecated, use 'implementation ' instead).
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0
compileClasspath - Compile classpath for source set 'main'.
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0
compileOnly - Compile only dependencies for source set 'main'.
No dependencies
default - Configuration for default artifacts.
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0
implementation - Implementation only dependencies for source set 'main'. (n)
No dependencies
runtime - Runtime dependencies for source set 'main' (deprecated, use 'runtimeOnly ' instead).
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0
runtimeClasspath - Runtime classpath of source set 'main'.
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0
runtimeElements - Elements of runtime for main. (n)
No dependencies
runtimeOnly - Runtime only dependencies for source set 'main'. (n)
No dependencies
shadow
No dependencies
testCompile - Dependencies for source set 'test' (deprecated, use 'testImplementation ' instead).
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0
testCompileClasspath - Compile classpath for source set 'test'.
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
+--- org.apache.logging.log4j:log4j-api:2.16.0
\--- org.apache.logging.log4j:log4j-core:2.16.0
\--- org.apache.logging.log4j:log4j-api:2.16.0
testCompileOnly - Compile only dependencies for source set 'test'.
No dependencies
testImplementation - Implementation only dependencies for source set 'test'. (n)
\--- org.apache.logging.log4j:log4j-core:2.16.0 (n)
testRuntime - Runtime dependencies for source set 'test' (deprecated, use 'testRuntimeOnly ' instead).
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0
testRuntimeClasspath - Runtime classpath of source set 'test'.
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
+--- org.apache.logging.log4j:log4j-api:2.16.0
\--- org.apache.logging.log4j:log4j-core:2.16.0
\--- org.apache.logging.log4j:log4j-api:2.16.0
testRuntimeOnly - Runtime only dependencies for source set 'test'. (n)
No dependencies
(*) - dependencies omitted (listed previously)
(n) - Not resolved (configuration is not meant to be resolved)
And that the generated jar dependency does not contain log4j-core
:
╭─{ yaauie@limbo:~/src/elastic/logstash-plugins/logstash-input-tcp (✔ 5.x-log4j) }
╰─● unzip -l vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/5.2.4/logstash-input-tcp-5.2.4.jar | grep log4j-
0 12-15-2021 10:13 META-INF/maven/org.apache.logging.log4j/log4j-api/
14045 12-12-2021 23:40 META-INF/maven/org.apache.logging.log4j/log4j-api/pom.xml
100 12-12-2021 23:40 META-INF/maven/org.apache.logging.log4j/log4j-api/pom.properties
[success]
Build failure is due to an open dependency on logstash-devutils
; I'm working to mitigate by pinning to the minor release of that dependency that was current when this branch was last used.
By making our runtime rely only on log4j-api, we ensure that our distributed artifacts don't include log4j-core, and eliminate a potential duplicate from appearing on the classpath.
Due to the way Logstash works, its own
log4j-core
is already loaded before plugins are loaded, so the presence of log4j-core in this plugin isn't a problem in and of itself, but can cause scanners to emit false-positives.