Skip to content

Commit

Permalink
deps: uses bom to manage log4j and removes explicit snappy override (#…
Browse files Browse the repository at this point in the history 
…3624)

snappy was documented as being brought in by spring, but it was kafka
and is now current. This also corrects how versions were declared to
override spring defaults, using dependencyManagement. Only one dep is
oddly overridden by us, snakeyaml, so is now documented as such.

Signed-off-by: Adrian Cole <adrian@tetrate.io>
  • Loading branch information
@codefromthecrypt
codefromthecrypt authored Dec 11, 2023
1 parent 136c205 commit f965f77
Showing 1 changed file with 15 additions and 45 deletions.
60 changes: 15 additions & 45 deletions zipkin-server/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@
<brave.version>5.16.0</brave.version>
<!-- Version overrides to avoid CVEs due to out-of-date Spring deps -->
<log4j2.version>2.22.0</log4j2.version>
<snappy.version>1.1.10.5</snappy.version>
<snakeyaml.version>2.2</snakeyaml.version>
<proto.generatedSourceDirectory>${project.build.directory}/generated-test-sources/wire</proto.generatedSourceDirectory>
</properties>
Expand Down Expand Up @@ -71,13 +70,28 @@
</exclusions>
</dependency>

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>${log4j2.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>

<dependency>
<groupId>com.fasterxml.jackson</groupId>
<artifactId>jackson-bom</artifactId>
<version>${jackson.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>

<!-- Override spring-boot-starter to avoid CVEs. -->
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
</dependency>
</dependencies>
</dependencyManagement>

Expand Down Expand Up @@ -106,50 +120,6 @@
</exclusions>
</dependency>

<!-- Override Spring dependency to avoid CVEs -->
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
</dependency>

<!-- Override Spring dependency to avoid CVEs -->
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>${snappy.version}</version>
</dependency>

<!-- Override Spring dependency to avoid CVEs -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>${log4j2.version}</version>
<type>jar</type>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${log4j2.version}</version>
<type>jar</type>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>${log4j2.version}</version>
<type>jar</type>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jul</artifactId>
<version>${log4j2.version}</version>
<type>jar</type>
<scope>compile</scope>
</dependency>

<!-- Use log4j 2 as default logging implementation -->
<dependency>
<groupId>org.springframework.boot</groupId>
Expand Down

0 comments on commit f965f77

Please sign in to comment.