Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

log4j 1.2.17 in mvn dependency:tree, upgrade Jena version #52

Open
KonradHoeffner opened this issue Dec 13, 2021 · 1 comment
Open

log4j 1.2.17 in mvn dependency:tree, upgrade Jena version #52

KonradHoeffner opened this issue Dec 13, 2021 · 1 comment

Comments

@KonradHoeffner
Copy link
Contributor

KonradHoeffner commented Dec 13, 2021
edited
Loading

LodView has a transitive dependency on log4j 1.2.17 included from Apache Jena 2.13.0, see below.

According to https://logging.apache.org/log4j/1.2/:

A security vulnerability, CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.

However it is very important to not use a Jena version that depends on Log4j 2 < 2.15.0, as this suffers from an arguably even worse security vulnerability, see https://logging.apache.org/log4j/2.x/index.html.
The current latest version depends on log4j2 2.14.1. Thus, this current version should thus not be used:

<dependency>
    <groupId>org.apache.jena</groupId>
    <artifactId>apache-jena-libs</artifactId>
    <version>4.3.0</version>
    <type>pom</type>
</dependency>

However according to https://github.com/apache/jena/commits/jena-4.3.1, this seems to be fixed in Jena 4.3.1. Thus I will not create a pull request just yet and recommend waiting until Jena 4.3.1 is officially released and available on Maven central and then using that if it doesn't break anything.

$ mvn dependency:tree
[...]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ lodview ---
[WARNING] The artifact xml-apis:xml-apis:jar:2.0.2 has been relocated to xml-apis:xml-apis:jar:1.0.b2
[INFO] lodview:lodview:war:1.2.1-SNAPSHOT
[INFO] +- org.apache.jena:apache-jena-libs:pom:2.13.0:compile
[INFO] |  +- org.apache.jena:jena-tdb:jar:1.1.2:compile
[INFO] |  |  +- org.apache.jena:jena-arq:jar:2.13.0:compile
[INFO] |  |  |  +- org.apache.httpcomponents:httpclient:jar:4.2.6:compile
[INFO] |  |  |  |  +- org.apache.httpcomponents:httpcore:jar:4.2.5:compile
[INFO] |  |  |  |  \- commons-codec:commons-codec:jar:1.6:compile
[INFO] |  |  |  +- com.github.jsonld-java:jsonld-java:jar:0.5.1:compile
[INFO] |  |  |  |  +- com.fasterxml.jackson.core:jackson-core:jar:2.3.3:compile
[INFO] |  |  |  |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.3.3:compile
[INFO] |  |  |  |     \- com.fasterxml.jackson.core:jackson-annotations:jar:2.3.0:compile
[INFO] |  |  |  +- org.apache.httpcomponents:httpclient-cache:jar:4.2.6:compile
[INFO] |  |  |  +- org.apache.thrift:libthrift:jar:0.9.2:compile
[INFO] |  |  |  \- org.apache.commons:commons-csv:jar:1.0:compile
[INFO] |  |  \- org.apache.jena:jena-core:jar:2.13.0:compile
[INFO] |  |     +- org.apache.jena:jena-iri:jar:1.1.2:compile
[INFO] |  |     \- xerces:xercesImpl:jar:2.11.0:compile
[INFO] |  |        \- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] |  +- org.slf4j:slf4j-log4j12:jar:1.7.6:compile
[INFO] |  \- log4j:log4j:jar:1.2.17:compile
[INFO] +- org.springframework:spring-context:jar:4.2.4.RELEASE:compile
[INFO] |  +- org.springframework:spring-aop:jar:4.2.4.RELEASE:compile
[INFO] |  |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  +- org.springframework:spring-beans:jar:4.2.4.RELEASE:compile
[INFO] |  +- org.springframework:spring-core:jar:4.2.4.RELEASE:compile
[INFO] |  \- org.springframework:spring-expression:jar:4.2.4.RELEASE:compile
[INFO] +- org.springframework:spring-webmvc:jar:4.2.4.RELEASE:compile
[INFO] |  \- org.springframework:spring-web:jar:4.2.4.RELEASE:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.1:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.1:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.0.7:compile
[INFO] |  \- ch.qos.logback:logback-core:jar:1.0.7:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- javax.servlet.jsp:jsp-api:jar:2.1:provided
[INFO] +- javax.servlet.jsp.jstl:jstl-api:jar:1.2:compile
[INFO] +- org.glassfish.web:jstl-impl:jar:1.2:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.3.1:compile
[INFO] \- org.springframework.boot:spring-boot-starter-integration:jar:1.1.4.RELEASE:compile
[INFO]    +- org.springframework.boot:spring-boot-starter:jar:1.1.4.RELEASE:compile
[INFO]    |  +- org.springframework.boot:spring-boot:jar:1.1.4.RELEASE:compile
[INFO]    |  +- org.springframework.boot:spring-boot-autoconfigure:jar:1.1.4.RELEASE:compile
[INFO]    |  +- org.springframework.boot:spring-boot-starter-logging:jar:1.1.4.RELEASE:compile
[INFO]    |  |  +- org.slf4j:jul-to-slf4j:jar:1.7.7:compile
[INFO]    |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.7:compile
[INFO]    |  \- org.yaml:snakeyaml:jar:1.13:runtime
[INFO]    +- org.springframework.boot:spring-boot-starter-aop:jar:1.1.4.RELEASE:compile
[INFO]    |  +- org.aspectj:aspectjrt:jar:1.8.1:compile
[INFO]    |  \- org.aspectj:aspectjweaver:jar:1.8.1:compile
[INFO]    +- org.springframework:spring-messaging:jar:4.0.6.RELEASE:compile
[INFO]    +- org.springframework:spring-tx:jar:4.0.6.RELEASE:compile
[INFO]    +- org.springframework.integration:spring-integration-core:jar:4.0.2.RELEASE:compile
[INFO]    |  \- org.springframework.retry:spring-retry:jar:1.1.0.RELEASE:compile
[INFO]    +- org.springframework.integration:spring-integration-file:jar:4.0.2.RELEASE:compile
[INFO]    |  \- commons-io:commons-io:jar:2.4:compile
[INFO]    +- org.springframework.integration:spring-integration-http:jar:4.0.2.RELEASE:compile
[INFO]    |  \- net.java.dev.rome:rome-fetcher:jar:1.0.0:compile
[INFO]    |     +- jdom:jdom:jar:1.0:compile
[INFO]    |     +- net.java.dev.rome:rome:jar:1.0.0:compile
[INFO]    |     \- commons-httpclient:commons-httpclient:jar:3.0.1:compile
[INFO]    +- org.springframework.integration:spring-integration-ip:jar:4.0.2.RELEASE:compile
[INFO]    \- org.springframework.integration:spring-integration-stream:jar:4.0.2.RELEASE:compile
[INFO] ------------------------------------------------------------------------
@dvcama dvcama mentioned this issue Dec 15, 2021
Closed
@KonradHoeffner
Copy link
Contributor Author

KonradHoeffner commented Jan 4, 2022
edited
Loading

Jena 4.3.2 is available now:

<dependency>
    <groupId>org.apache.jena</groupId>
    <artifactId>apache-jena-libs</artifactId>
    <version>4.3.2</version>
    <type>pom</type>
</dependency>

It doesn't list a dependency on log4j anymore:

[...]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ lodview ---
[WARNING] The artifact xml-apis:xml-apis:jar:2.0.2 has been relocated to xml-apis:xml-apis:jar:1.0.b2
[INFO] lodview:lodview:war:1.2.1-SNAPSHOT
[INFO] +- org.apache.jena:apache-jena-libs:pom:4.3.2:compile
[INFO] |  +- org.apache.jena:jena-shacl:jar:4.3.2:compile
[INFO] |  |  \- org.apache.jena:jena-arq:jar:4.3.2:compile
[INFO] |  |     +- org.apache.jena:jena-core:jar:4.3.2:compile
[INFO] |  |     |  +- org.apache.jena:jena-base:jar:4.3.2:compile
[INFO] |  |     |  |  +- org.apache.jena:jena-shaded-guava:jar:4.3.2:compile
[INFO] |  |     |  |  +- org.apache.commons:commons-csv:jar:1.9.0:compile
[INFO] |  |     |  |  +- org.apache.commons:commons-compress:jar:1.21:compile
[INFO] |  |     |  |  \- com.github.andrewoma.dexx:collection:jar:0.7:compile
[INFO] |  |     |  +- org.apache.jena:jena-iri:jar:4.3.2:compile
[INFO] |  |     |  \- commons-cli:commons-cli:jar:1.5.0:compile
[INFO] |  |     +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |  |     |  \- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO] |  |     +- com.github.jsonld-java:jsonld-java:jar:0.13.3:compile
[INFO] |  |     +- com.apicatalog:titanium-json-ld:jar:1.1.0:compile
[INFO] |  |     +- org.glassfish:jakarta.json:jar:2.0.1:compile
[INFO] |  |     +- com.fasterxml.jackson.core:jackson-core:jar:2.13.0:compile
[INFO] |  |     +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.0:compile
[INFO] |  |     |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.0:compile
[INFO] |  |     +- org.apache.httpcomponents:httpclient-cache:jar:4.5.13:compile
[INFO] |  |     +- com.google.protobuf:protobuf-java:jar:3.17.3:compile
[INFO] |  |     \- org.apache.thrift:libthrift:jar:0.15.0:compile
[INFO] |  |        \- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] |  +- org.apache.jena:jena-shex:jar:4.3.2:compile
[INFO] |  +- org.apache.jena:jena-tdb:jar:4.3.2:compile
[INFO] |  +- org.apache.jena:jena-tdb2:jar:4.3.2:compile
[INFO] |  |  \- org.apache.jena:jena-dboe-storage:jar:4.3.2:compile
[INFO] |  |     \- org.apache.jena:jena-dboe-trans-data:jar:4.3.2:compile
[INFO] |  |        +- org.apache.jena:jena-dboe-transaction:jar:4.3.2:compile
[INFO] |  |        |  \- org.apache.jena:jena-dboe-base:jar:4.3.2:compile
[INFO] |  |        \- org.apache.jena:jena-dboe-index:jar:4.3.2:compile
[INFO] |  \- org.apache.jena:jena-rdfconnection:jar:4.3.2:compile
[...]

However this leads to the following errors on mvn compile, it seems as if the code would need to be adapted for usage with the new Jena version.

$ mvn compile
[INFO] Scanning for projects...
[INFO] 
[INFO] --------------------------< lodview:lodview >---------------------------
[INFO] Building lodview 1.2.1-SNAPSHOT
[INFO] --------------------------------[ war ]---------------------------------
[INFO] 
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ lodview ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 8 resources
[INFO] 
[INFO] --- maven-compiler-plugin:2.3.2:compile (default-compile) @ lodview ---
[INFO] Compiling 14 source files to /home/konrad/projekte/java/lodview/target/classes
[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR : 
[INFO] -------------------------------------------------------------
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[12,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[13,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[14,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[15,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[16,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[17,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[18,27] error: package com.hp.hpl.jena.util does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[27,9] error: cannot find symbol
[ERROR]  class OntologyBean
/home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[98,57] error: cannot find symbol
[ERROR]  class OntologyBean
/home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[117,8] error: cannot find symbol
[ERROR]  class OntologyBean
/home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/bean/OntologyBean.java:[121,22] error: cannot find symbol
[ERROR]  class OntologyBean
/home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[6,37] error: package org.apache.jena.atlas.web.auth does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[7,37] error: package org.apache.jena.atlas.web.auth does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[14,28] error: package com.hp.hpl.jena.graph does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[15,28] error: package com.hp.hpl.jena.query does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[16,28] error: package com.hp.hpl.jena.query does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[17,28] error: package com.hp.hpl.jena.query does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[18,28] error: package com.hp.hpl.jena.query does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[19,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[20,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[21,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[22,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/endpoint/SPARQLEndPoint.java:[23,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/conf/ConfigurationBean.java:[16,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/conf/ConfigurationBean.java:[17,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/conf/ConfigurationBean.java:[18,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/conf/ConfigurationBean.java:[19,32] error: package com.hp.hpl.jena.rdf.model does not exist
[ERROR] /home/konrad/projekte/java/lodview/src/main/java/org/dvcama/lodview/conf/ConfigurationBean.java:[20,32] error: package com.hp.hpl.jena.rdf.model does not exist
[...]

@KonradHoeffner KonradHoeffner changed the title log4j 1.2.17 in mvn dependency:tree log4j 1.2.17 in mvn dependency:tree, upgrade Jena version Jan 4, 2022
@KonradHoeffner KonradHoeffner mentioned this issue Jan 11, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade Jena from version 2.13.0 to 4.3.2. KonradHoeffner/LodView
1 participant
@KonradHoeffner