dataflow: use log4j 2.15 to patch security bug (GoogleCloudPlatform#6587)

davidcavazos · web-flow · commit 623516a21cf1 · 2021-12-14T12:26:11.000-05:00
diff --git a/dataflow/encryption-keys/pom.xml b/dataflow/encryption-keys/pom.xml
@@ -40,7 +40,7 @@
     <maven-exec-plugin.version>3.0.0</maven-exec-plugin.version>
     <maven-jar-plugin.version>3.2.0</maven-jar-plugin.version>
     <maven-shade-plugin.version>3.2.4</maven-shade-plugin.version>
-    <slf4j.version>1.7.32</slf4j.version>
+    <log4j2.version>2.15.0</log4j2.version>
   </properties>
 
   <repositories>
@@ -131,16 +131,16 @@
   </build>
 
   <dependencies>
-    <!-- slf4j API frontend binding with JUL backend -->
     <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-api</artifactId>
-      <version>${slf4j.version}</version>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-api</artifactId>
+      <version>${log4j2.version}</version>
     </dependency>
     <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-jdk14</artifactId>
-      <version>${slf4j.version}</version>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
+      <version>${log4j2.version}</version>
+      <scope>runtime</scope>
     </dependency>
 
     <!-- Apache Beam
diff --git a/dataflow/flex-templates/kafka_to_bigquery/pom.xml b/dataflow/flex-templates/kafka_to_bigquery/pom.xml
@@ -41,7 +41,7 @@
     <maven-compiler-plugin.version>3.8.1</maven-compiler-plugin.version>
     <maven-shade-plugin.version>3.2.4</maven-shade-plugin.version>
     <maven-exec-plugin.version>3.0.0</maven-exec-plugin.version>
-    <slf4j.version>1.7.32</slf4j.version>
+    <log4j2.version>2.15.0</log4j2.version>
   </properties>
 
   <repositories>
@@ -127,16 +127,16 @@
   </build>
 
   <dependencies>
-    <!-- slf4j API frontend binding with JUL backend -->
     <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-api</artifactId>
-      <version>${slf4j.version}</version>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-api</artifactId>
+      <version>${log4j2.version}</version>
     </dependency>
     <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-jdk14</artifactId>
-      <version>${slf4j.version}</version>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
+      <version>${log4j2.version}</version>
+      <scope>runtime</scope>
     </dependency>
 
     <!-- Apache Beam
diff --git a/dataflow/flex-templates/streaming_beam_sql/pom.xml b/dataflow/flex-templates/streaming_beam_sql/pom.xml
@@ -40,7 +40,7 @@
     <maven-compiler-plugin.version>3.8.1</maven-compiler-plugin.version>
     <maven-shade-plugin.version>3.2.4</maven-shade-plugin.version>
     <maven-exec-plugin.version>3.0.0</maven-exec-plugin.version>
-    <slf4j.version>1.7.32</slf4j.version>
+    <log4j2.version>2.15.0</log4j2.version>
   </properties>
 
   <repositories>
@@ -132,16 +132,16 @@
   </build>
 
   <dependencies>
-    <!-- slf4j API frontend binding with JUL backend -->
     <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-api</artifactId>
-      <version>${slf4j.version}</version>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-api</artifactId>
+      <version>${log4j2.version}</version>
     </dependency>
     <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-jdk14</artifactId>
-      <version>${slf4j.version}</version>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
+      <version>${log4j2.version}</version>
+      <scope>runtime</scope>
     </dependency>
 
     <!-- Apache Beam
diff --git a/dataflow/spanner-io/pom.xml b/dataflow/spanner-io/pom.xml
@@ -39,6 +39,7 @@
     <maven.compiler.source>1.8</maven.compiler.source>
     <maven.compiler.target>1.8</maven.compiler.target>
     <apache_beam.version>2.31.0</apache_beam.version>
+    <log4j2.version>2.15.0</log4j2.version>
   </properties>
 
   <build>
@@ -101,9 +102,15 @@
 
     <!-- Misc -->
     <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-jdk14</artifactId>
-      <version>1.7.32</version>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-api</artifactId>
+      <version>${log4j2.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
+      <version>${log4j2.version}</version>
+      <scope>runtime</scope>
     </dependency>
 
   </dependencies>
diff --git a/dataflow/templates/pom.xml b/dataflow/templates/pom.xml
@@ -40,7 +40,7 @@
     <maven-exec-plugin.version>3.0.0</maven-exec-plugin.version>
     <maven-jar-plugin.version>3.2.0</maven-jar-plugin.version>
     <maven-shade-plugin.version>3.2.4</maven-shade-plugin.version>
-    <slf4j.version>1.7.32</slf4j.version>
+    <log4j2.version>2.15.0</log4j2.version>
   </properties>
 
   <repositories>
@@ -131,16 +131,16 @@
   </build>
 
   <dependencies>
-    <!-- slf4j API frontend binding with JUL backend -->
     <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-api</artifactId>
-      <version>${slf4j.version}</version>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-api</artifactId>
+      <version>${log4j2.version}</version>
     </dependency>
     <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-jdk14</artifactId>
-      <version>${slf4j.version}</version>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
+      <version>${log4j2.version}</version>
+      <scope>runtime</scope>
     </dependency>
 
     <!-- Apache Beam
