From f965f77920c03653d1a638594fe002c00213d936 Mon Sep 17 00:00:00 2001
From: Crypt Keeper <64215+codefromthecrypt@users.noreply.github.com>
Date: Mon, 11 Dec 2023 11:11:06 +0800
Subject: [PATCH] deps: uses bom to manage log4j and removes explicit snappy
 override (#3624)

snappy was documented as being brought in by spring, but it was kafka
and is now current. This also corrects how versions were declared to
override spring defaults, using dependencyManagement. Only one dep is
oddly overridden by us, snakeyaml, so is now documented as such.

Signed-off-by: Adrian Cole <adrian@tetrate.io>
---
 zipkin-server/pom.xml | 60 +++++++++++--------------------------------
 1 file changed, 15 insertions(+), 45 deletions(-)

diff --git a/zipkin-server/pom.xml b/zipkin-server/pom.xml
index 76b23ab2039..b14db8de3a1 100644
--- a/zipkin-server/pom.xml
+++ b/zipkin-server/pom.xml
@@ -35,7 +35,6 @@
     <brave.version>5.16.0</brave.version>
     <!-- Version overrides to avoid CVEs due to out-of-date Spring deps -->
     <log4j2.version>2.22.0</log4j2.version>
-    <snappy.version>1.1.10.5</snappy.version>
     <snakeyaml.version>2.2</snakeyaml.version>
     <proto.generatedSourceDirectory>${project.build.directory}/generated-test-sources/wire</proto.generatedSourceDirectory>
   </properties>
@@ -71,6 +70,14 @@
         </exclusions>
       </dependency>
 
+      <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-bom</artifactId>
+        <version>${log4j2.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+
       <dependency>
         <groupId>com.fasterxml.jackson</groupId>
         <artifactId>jackson-bom</artifactId>
@@ -78,6 +85,13 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+
+      <!-- Override spring-boot-starter to avoid CVEs. -->
+      <dependency>
+        <groupId>org.yaml</groupId>
+        <artifactId>snakeyaml</artifactId>
+        <version>${snakeyaml.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
@@ -106,50 +120,6 @@
       </exclusions>
     </dependency>
 
-    <!-- Override Spring dependency to avoid CVEs -->
-    <dependency>
-      <groupId>org.yaml</groupId>
-      <artifactId>snakeyaml</artifactId>
-      <version>${snakeyaml.version}</version>
-    </dependency>
-
-    <!-- Override Spring dependency to avoid CVEs -->
-    <dependency>
-      <groupId>org.xerial.snappy</groupId>
-      <artifactId>snappy-java</artifactId>
-      <version>${snappy.version}</version>
-    </dependency>
-
-    <!-- Override Spring dependency to avoid CVEs -->
-    <dependency>
-      <groupId>org.apache.logging.log4j</groupId>
-      <artifactId>log4j-api</artifactId>
-      <version>${log4j2.version}</version>
-      <type>jar</type>
-      <scope>compile</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.logging.log4j</groupId>
-      <artifactId>log4j-core</artifactId>
-      <version>${log4j2.version}</version>
-      <type>jar</type>
-      <scope>compile</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.logging.log4j</groupId>
-      <artifactId>log4j-slf4j-impl</artifactId>
-      <version>${log4j2.version}</version>
-      <type>jar</type>
-      <scope>compile</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.logging.log4j</groupId>
-      <artifactId>log4j-jul</artifactId>
-      <version>${log4j2.version}</version>
-      <type>jar</type>
-      <scope>compile</scope>
-    </dependency>
-
     <!-- Use log4j 2 as default logging implementation -->
     <dependency>
       <groupId>org.springframework.boot</groupId>