Merge pull request #1795 from liuliaozhong/3.7.x

bugfix: 修复log4j1.x配置代码执行漏洞(CVE-2021-4104) #1756

src/backend/build.gradle

@@ -91,6 +91,8 @@ ext {
     // https://mvnrepository.com/artifact/org.apache.commons/commons-pool2
     set('apacheCommonsPoolVersion', "2.8.0")
     set('apacheCommonsCodecVersion', "1.14")
+    set('apacheCuratorFrameworkVersion', "5.4.0")
+    set('apacheCuratorRecipesVersion', "5.4.0")
     set('dozerVersion', "5.5.1")
     set('commonsCollectionsVersion', "3.2.2")
     set('jedisVersion', "3.0.1")
@@ -230,6 +232,8 @@ subprojects {
             dependency "io.springfox:springfox-swagger-ui:$swaggerVersion"
             dependency "org.apache.commons:commons-collections4:$apacheCommonsCollectionVersion"
             dependency "org.apache.commons:commons-pool2:$apacheCommonsPoolVersion"
+            dependency "org.apache.curator:curator-framework:$apacheCuratorFrameworkVersion"
+            dependency "org.apache.curator:curator-recipes:$apacheCuratorRecipesVersion"
             dependency "net.sf.dozer:dozer:$dozerVersion"
             dependency "commons-collections:commons-collections:$commonsCollectionsVersion"
             dependency "org.jedis:jedis:$jedisVersion"

src/backend/job-execute/service-job-execute/build.gradle

@@ -53,9 +53,9 @@ dependencies {
     implementation 'io.micrometer:micrometer-registry-prometheus'
     implementation "org.hibernate.validator:hibernate-validator"
     // https://mvnrepository.com/artifact/org.apache.curator/curator-framework
-    api(group: 'org.apache.curator', name: 'curator-framework', version: '5.1.0')
+    api(group: 'org.apache.curator', name: 'curator-framework')
     // https://mvnrepository.com/artifact/org.apache.curator/curator-recipes
-    api(group: 'org.apache.curator', name: 'curator-recipes', version: '5.1.0')
+    api(group: 'org.apache.curator', name: 'curator-recipes')
 
     testImplementation 'org.springframework.boot:spring-boot-starter-test'
     testImplementation 'org.apache.commons:commons-lang3'

src/backend/job-execute/service-job-execute/src/main/java/com/tencent/bk/job/execute/service/impl/LogServiceImpl.java

@@ -53,7 +53,7 @@
 import com.tencent.bk.job.logsvr.model.service.ServiceScriptLogQueryRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.collections4.CollectionUtils;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 

support-files/dependJarInfo/md5List.txt

@@ -35,6 +35,8 @@ a69448e8c1e24d989266083c301e354b
 fa752c3cb5474b05e14bf2ed7e242020
 040b4b4d8eac886f6b4a2a3bd2f31b00
 08c4c1bdf25e2e30c2615bc477c3b36c
+1fbff4f1b23cc418d1a4d9d0f12f93b5
+955750f1af38c1c2382b96e128810f99
 3b76e3e8bb6814dd418b058c6c8e1b3b
 54eec02e942f50ffea7e147f33cd85f7
 67beeee58df00366100061c7da82f4c2

support-files/dependJarInfo/nameList.txt

@@ -35,6 +35,8 @@ commons-lang
 commons-lang3
 commons-logging
 commons-pool2
+curator-framework
+curator-recipes
 consul-api
 dozer
 error_prone_annotations

support-files/dependJarInfo/orgList.txt

@@ -35,6 +35,8 @@ commons-lang
 org.apache.commons
 commons-logging
 org.apache.commons
+org.apache.curator
+org.apache.curator
 com.ecwid.consul
 net.sf.dozer
 com.google.errorprone

support-files/dependJarInfo/versionList.txt

@@ -35,6 +35,8 @@
 3.9
 1.2
 2.8.0
+5.4.0
+5.4.0
 1.4.1
 5.5.1
 2.3.4