Skip to content

mvn install fails in environment that block log4j:2.15.0 & its dependencies from downloading due to security vulnerabilities #1375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tiru67 opened this issue Aug 16, 2023 · 5 comments
Closed

mvn install fails in environment that block log4j:2.15.0 & its dependencies from downloading due to security vulnerabilities #1375

tiru67 opened this issue Aug 16, 2023 · 5 comments
Assignees
@scottgerring
Labels
bug Something isn't working priority:2 High - core feature or affects 60% of the users

Comments

@tiru67
Copy link

tiru67 commented Aug 16, 2023

mvn install fails in environment that block log4j:2.15.0 dependencies from downloading due to security vulnerabilities.

Q: What were you trying to accomplish?
A: I am trying to setup my local environment for contribution.

Expected Behavior

mvn install -DskipTests should succeed

Current Behavior

Build Failure
Powertools for AWS Lambda (Java) library Examples - Core FAILURE

Possible Solution

Upgrade

<groupId>com.github.edwgiz</groupId>
<artifactId>maven-shade-plugin.log4j2-cachefile-transformer</artifactId>
<version>2.15</version>

with

  <groupId>io.github.edwgiz</groupId>
 <artifactId>log4j-maven-shade-plugin-extensions</artifactId>
 <version>2.17.2</version>

in

examples/powertools-examples-batch/pom.xml
examples/powertools-examples-cloudformation/pom.xml
examples/powertools-examples-core/cdk/app/pom.xml
examples/powertools-examples-core/sam/pom.xml
examples/powertools-examples-idempotency/pom.xml
examples/powertools-examples-sqs/pom.xml

Steps to Reproduce (for bugs)

  1. Setup a firewall that blocks maven-shade-plugin.log4j2-cachefile-transformer version 2.15 and its dependencies
  2. mvn install -DskipTests

Environment

  • Powertools for AWS Lambda (Java) version used: 1.17.0-SNAPSHOT
  • Packaging format (Layers, Maven/Gradle): Maven
  • AWS Lambda function runtime:
  • Debugging logs

How to enable debug mode**

# paste logs here
@tiru67 tiru67 added bug Something isn't working triage labels Aug 16, 2023
@scottgerring scottgerring self-assigned this Aug 17, 2023
@scottgerring
Copy link
Contributor

Hey @tiru67, thanks for reporting. i'll check this out shortly.

@scottgerring
Copy link
Contributor

Hey @tiru67 , this is a good catch, thanks. The log4j dep is pushed by a transient dep from the shade plugin. I have rolled the plugin forward in #1376; waiting for a review from one of the other maintainers. In the meantime, you should be able to pull from this branch and get started!

@scottgerring scottgerring added priority:2 High - core feature or affects 60% of the users and removed triage labels Aug 17, 2023
@scottgerring scottgerring moved this from Working on it to Pending review in Powertools for AWS Lambda (Java) Aug 17, 2023
@tiru67
Copy link
Author

tiru67 commented Aug 17, 2023

Thanks @scottgerring!

@nilayamkamila nilayamkamila mentioned this issue Aug 17, 2023
Closed
@scottgerring
Copy link
Contributor

The dependency is used during the build phase for shading, and from what I can see shouldn't result in a build of the examples including an impacted version of log4j only.

@scottgerring
Copy link
Contributor

This is merged to main

@scottgerring scottgerring moved this from Pending review to Coming soon in Powertools for AWS Lambda (Java) Aug 18, 2023
@jeromevdl jeromevdl moved this from Coming soon to Shipped in Powertools for AWS Lambda (Java) Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@scottgerring scottgerring

Labels
bug Something isn't working priority:2 High - core feature or affects 60% of the users
Projects
Powertools for AWS Lambda (Java)
Status: Shipped
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jeromevdl @scottgerring @tiru67