I have projects ingress-common , ingress-core and ingress is the main project.
After upgrading the version from 6.8.3 to 8.2.1.
Below is the build.gradle of ingress-core
apply plugin: "java"
dependencies {
implementation 'org.apache.commons:commons-lang3:3.6'
implementation 'javax.servlet:javax.servlet-api:3.1.0'
implementation 'com.google.code.gson:gson:2.8.9'
implementation 'org.glassfish.jersey.inject:jersey-hk2:2.26'
implementation("org.glassfish.jersey.containers:jersey-container-servlet-core:2.35") {
exclude module: "org.glassfish.hk2.external:jakarta.inject:2.6.1"
}
// Dependent projects
implementation project(':ingress-common')
testImplementation 'org.slf4j:slf4j-api:1.7.21'
testImplementation 'org.mockito:mockito-core:3.8.0'
// Temporary mitigation for CVE-2021-44228
// https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
configurations.all {
resolutionStrategy.eachDependency { DependencyResolveDetails details ->
if (details.requested.group == 'org.apache.logging.log4j') {
details.useVersion '2.17.1'
}
}
}
}
and the below is ingress-common
// Project name: ingress-common
apply plugin: 'java'
dependencies {
implementation 'com.google.guava:guava:30.0-jre'
implementation 'commons-io:commons-io:2.7'
implementation('org.apache.commons:commons-lang3:3.6') {
exclude module: 'commons-io'
}
implementation 'com.cloudant:cloudant-client:2.19.1'
implementation 'com.google.code.gson:gson:2.8.9'
implementation 'com.fasterxml.jackson.core:jackson-databind:2.12.6.1'
implementation("javax.ws.rs:javax.ws.rs-api:2.1") {
exclude module: 'jackson-databind'
}
implementation 'org.apache.httpcomponents:httpclient:4.5.13'
implementation 'org.apache.logging.log4j:log4j-api:2.17.1'
implementation 'org.apache.logging.log4j:log4j-core:2.17.1'
implementation 'com.rapid7:r7insight_java:3.0.15'
implementation("org.apache.poi:poi-ooxml:4.1.1") {
exclude module: 'commons-compress'
}
implementation 'org.apache.commons:commons-compress:1.21' // Added to fix AppScan vulnerability
implementation 'com.sendgrid:sendgrid-java:4.4.8'
implementation 'com.thoughtworks.xstream:xstream:1.4.18'
implementation 'javax.xml.bind:jaxb-api:2.3.1'
testImplementation 'org.slf4j:slf4j-api:1.7.21'
testImplementation 'org.mockito:mockito-core:3.8.0'
// Temporary mitigation for CVE-2021-44228
// https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
configurations.all {
resolutionStrategy.eachDependency { DependencyResolveDetails details ->
if (details.requested.group == 'org.apache.logging.log4j') {
details.useVersion '2.17.1'
}
}
}
}
while doing gradle build facing issues having log4j dependency in ingress-core.
Can someone pls kindly let me know if I am missing something in linking the projects ?.