如何在SBT中排除log4j脆弱的传递依赖?

6vl6ewon  于 2023-11-18  发布在  其他
关注(0)|答案(1)|浏览(149)

如何从build.sbt中的所有依赖项中排除log4j 1.2.17漏洞
我们正在使用基于Sbt(0.13.11)的Play框架应用程序,如附件中提到的配置,我们希望排除与易受攻击的log4j 1.2.17相关的依赖关系。

name := """xxxx"""

version := "1.0"

lazy val playCommonDI = (project in file("./modules/play-common-di")).enablePlugins(PlayJava)
lazy val libsf = (project in file("libsf"))

lazy val root = (project in file("."))
  .enablePlugins(PlayJava, PlayEbean, SbtWeb)
  .aggregate(playCommonDI, libsf)
  .dependsOn(playCommonDI, libsf)

scalaVersion := "2.11.7"

scalacOptions := Seq("-feature", "-unchecked", "-deprecation", "-encoding", "utf8")

resolvers += Resolver.url("Objectify Play Repository", url("http://deadbolt.ws/releases/"))(Resolver.ivyStylePatterns)

resolvers += "(Plugins) Project Maven Repo" at "file://" + file(".").getCanonicalPath + "/local-repo/maven/"

val junitVersion = "5.4.0"

val apachePOIVersion = "4.1.2"
val apachePOIDependencies = Seq(
  "org.apache.poi" % "poi-ooxml" % apachePOIVersion,
  "org.apache.poi" % "poi" % apachePOIVersion,
  "org.apache.poi" % "poi-ooxml-schemas" % apachePOIVersion
)
libraryDependencies ++= apachePOIDependencies
libraryDependencies ++= Seq(
  javaJdbc,
  cache,
  javaWs,
  filters,

  // Tests
  "org.junit.platform" % "junit-platform-launcher" % "1.4.0" % Test,
  "org.junit.jupiter" % "junit-jupiter-engine" % junitVersion % Test,
  "org.junit.jupiter" % "junit-jupiter-params" % junitVersion % Test,
  "org.junit.jupiter" % "junit-jupiter-api" % junitVersion % Test,

  "org.dhatim" % "fastexcel" % "0.12.15",

  "com.akamai" % "edgeauth" % "0.2.0",

  "org.mockito" % "mockito-core" % "2.23.4" % Test,
  "org.mockito" % "mockito-junit-jupiter" % "2.23.4" % Test,

  "net.aichler" % "jupiter-interface" % JupiterKeys.jupiterVersion.value % Test,
  "org.jacoco" % "org.jacoco.core" % "0.8.3",

  "org.testcontainers" % "testcontainers" % "1.9.1" % Test,
  "org.testcontainers" % "jdbc" % "1.9.1" % Test,
  "org.testcontainers" % "mysql" % "1.9.1" % Test,

  "mysql" % "mysql-connector-java" % "5.1.31",
  "org.apache.commons" % "commons-lang3" % "3.3.2",
  "commons-validator" % "commons-validator" % "1.4.0",
  "com.thoughtworks.xstream" % "xstream" % "1.4.4",
  "be.objectify" %% "deadbolt-java" % "2.5.6",
  "org.ocpsoft.prettytime"%"prettytime"%"3.2.5.Final",

  "dom4j" % "dom4j" % "1.6.1",
  "net.logstash.logback" % "logstash-logback-encoder" % "4.11",
  "org.apache.commons" % "commons-math3" % "3.5",
  "org.redisson" % "redisson" % "2.6.0",
  "org.atmosphere" % "atmosphere-play" % "2.3.0",
  "org.atmosphere" % "wasync" % "2.1.4",
  "com.hazelcast" % "hazelcast" % "3.4.2",
  "com.hazelcast" % "hazelcast-cloud" % "3.4.2",
  "org.elasticsearch" % "elasticsearch" % "1.5.0",
  "org.apache.commons" % "commons-exec" % "1.3",
  "net.htmlparser.jericho" % "jericho-html" % "3.4",
  "org.apache.commons" % "commons-csv" % "1.2",
  "com.itextpdf" % "itextpdf" % "5.5.11",
  "com.itextpdf.tool" % "xmlworker" % "5.5.11",
  "com.hierynomus" % "sshj" % "0.21.1",
  "com.onelogin" % "java-saml" % "2.0.1",
  "com.rusticisoftware" % "tincan" % "1.1.0",
  
  "com.tokbox" % "opentok-server-sdk" % "4.3.0" excludeAll(
    ExclusionRule(organization = "org.asynchttpclient")
  ),
  "org.bitbucket.b_c" % "jose4j" % "0.6.4",
  
  "com.pusher" % "pusher-http-java" % "1.0.0",
  "com.typesafe.akka" % "akka-remote_2.11" % "2.4.17",
  "org.bouncycastle" % "bcprov-jdk15on" % "1.56",

  "org.flywaydb" %% "flyway-play" % "3.2.0",

  "org.togglz" % "togglz-core" % "2.6.1.Final",
  "org.togglz" % "togglz-console" % "2.6.1.Final",
  "org.togglz" % "togglz-testing" % "2.6.1.Final" % Test,
  "org.togglz" % "togglz-junit" % "2.6.1.Final" % Test,

  "com.twilio.sdk" % "twilio" % "7.32.0",

  "com.google.inject.extensions" % "guice-multibindings" % "4.0"
)

dependencyOverrides += "net.bytebuddy" % "byte-buddy" % "1.9.3"
dependencyOverrides += "com.fasterxml.jackson.core" % "jackson-core" % "2.9.9"
dependencyOverrides += "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9.1"
dependencyOverrides += "com.fasterxml.jackson.core" % "jackson-annotations" % "2.9.9"

parallelExecution in Global := false

routesGenerator := InjectedRoutesGenerator

//API Documentation
sources in (Compile, doc) := Seq.empty

publishArtifact in (Compile, packageDoc) := false

//CSS assets
includeFilter in (Assets, LessKeys.less) := "*.less"

excludeFilter in (Assets, LessKeys.less) := "_*.less"

LessKeys.compress in Assets := true

//JSHint
JsEngineKeys.engineType := JsEngineKeys.EngineType.Node

//Digest
pipelineStages := Seq(uglify, digest, gzip)

//Exclude documentation in dist
doc in Compile <<= target.map(_ / "none")

//SBT + Scala + idea support required (2.12?): Keys.javacOptions ++= Seq("-source", "1.8", "-target", "1.8", "-Xlint:unchecked")
Keys.javacOptions += "-Xlint:deprecation"

Keys.javacOptions += "-Xlint:unchecked"

// Enable testes to run in it's own VM
Keys.fork in Test := true

ivyConfiguration ~= { originalIvyConfiguration =>
  val config = originalIvyConfiguration.asInstanceOf[InlineIvyConfiguration]
  val ivyHome = file(Path.userHome.absolutePath+"/ivy2_sbt-plugin-2.5.14")
  val ivyPaths = new IvyPaths(config.paths.baseDirectory, Some(ivyHome))
  new InlineIvyConfiguration(ivyPaths, config.resolvers, config.otherResolvers,
    config.moduleConfigurations, config.localOnly, config.lock,
    config.checksums, config.resolutionCacheDir, config.log)
}

jacocoReportSettings in Test := JacocoReportSettings().withTitle("xxxx Report")

字符串
正如在构建文件中提到的,我们试图提到正确的log4j 2.17,似乎默认的log4j 1.2.17没有被新版本的log4j取代。
你能帮帮我们吗?

nnvyjq4y

nnvyjq4y1#

排除log4j 1.2的问题是log4j 2并没有取代它。这就是为什么在log4j 2上添加依赖项不起作用。它们是完全不同的库。它们有不同的工件ID(log4j 1.2可以在log4j:log4j中找到,而log4j 2使用org.apache.logging.log4j:log4j-api),它们使用不同的Java包名称(log4j 1.2使用org.apache.log4j,而log4j 2使用org.apache.logging.log4j)。它们只是碰巧在名称中都有log4j一词,但从构建工具/依赖管理器的Angular 来看,它们没有任何共同之处,所以当你告诉你的构建使用log4j 2时,构建工具并不知道该包与log4j 1有任何关系,并将两者都保留在依赖项中。
很明显,它是由你的某个依赖项引入的。如果你排除它,很可能,引入它的依赖项将停止工作,因为当它加载时,它将尝试加载log4j 1.2 API,而这将不在类路径上,因此它将失败,并出现class not found错误。
解决方法是使用reload4j。这提供了log4j 1.2 API的二进制兼容实现,但修复了主要的安全漏洞。
要做到这一点,你需要确定你的哪些依赖于log4j 1.2。你可以使用sbt依赖树插件来做到这一点,关于如何使用这个插件的教程可以在here找到。
然后,从这些依赖项中排除log4j传递依赖项,如此处所述。
最后,您可以将reload 4j作为依赖项添加到项目中。
比这一切更好的是更新你的项目,停止使用非常旧的库版本。最后一个支持sbt 0.13.11的Play版本是Play 2.5,2016年发布。Play 2.6于2017年取代它。Play 2.5支持于2018年完成。您使用的Play版本已不支持超过5年。看看所有这些从那时起在Play中修复的安全漏洞,您可能容易受到攻击,自2018年Play 2.5.x以来报告的许多漏洞都容易受到攻击,只是因为Play 2.5不支持,我们没有列出这些漏洞:
https://www.playframework.com/security/vulnerability
更不用说你使用的依赖中的所有漏洞了。

相关问题