Following the news about Log4J2 vulnerability and Cédric’s tweet https://twitter.com/CedricChampeau/status/1469608906196410368 I tried to apply constraints to my Gradle script.
I added following:
constraints {
add("implementation", "org.apache.logging.log4j:log4j-core") {
version {
strictly("[2.15")
prefer("2.15.0")
}
because("CVE-2021-44228 Log4j 2 Vulnerability")
}
}
Also I have following to use log4j through slf4j:
implementation "org.slf4j:slf4j-api:1.7.32"
implementation "org.apache.logging.log4j:log4j-slf4j-impl:2.15.0"
implementation "org.slf4j:jul-to-slf4j:1.7.32"
implementation "org.slf4j:jcl-over-slf4j:1.7.32"
(all other possible dependencies on log4j could be only through a transitive dependency)
Unfortunately I don’t see any effect of the constraint and I’m trying to understand what I’m doing wrong:
$ gradle dependencyInsight --dependency org.apache.logging.log4j
> Task :dependencyInsight
org.apache.logging.log4j:log4j-api:2.13.3
variant "compile" [
org.gradle.status = release (not requested)
org.gradle.usage = java-api
org.gradle.libraryelements = jar (compatible with: classes+resources)
org.gradle.category = library
Requested attributes not found in the selected variant:
org.gradle.dependency.bundling = external
org.gradle.jvm.environment = standard-jvm
org.jetbrains.kotlin.platform.type = jvm
org.gradle.jvm.version = 13
]
Selection reasons:
- Selected by rule
- By constraint : CVE-2021-44228 Log4j 2 Vulnerability
org.apache.logging.log4j:log4j-api:{strictly [2.15; prefer 2.15.0} -> 2.13.3
\--- compileClasspath
org.apache.logging.log4j:log4j-api:2.15.0 -> 2.13.3
\--- org.apache.logging.log4j:log4j-slf4j-impl:2.15.0
\--- compileClasspath
org.apache.logging.log4j:log4j-slf4j-impl:2.15.0 (selected by rule)
variant "compile" [
org.gradle.status = release (not requested)
org.gradle.usage = java-api
org.gradle.libraryelements = jar (compatible with: classes+resources)
org.gradle.category = library
Requested attributes not found in the selected variant:
org.gradle.dependency.bundling = external
org.gradle.jvm.environment = standard-jvm
org.jetbrains.kotlin.platform.type = jvm
org.gradle.jvm.version = 13
]
org.apache.logging.log4j:log4j-slf4j-impl:2.15.0
\--- compileClasspath
It seems that Gradle just ignore constraint rules, though it definitely sees them. Tried with Gradle 6.9 and Gradle 7.2