Skip to content

Commit 3535b02

Browse files
author
Victor Adossi
authored
Merge pull request #7 from oauth-io/fix/address-log4j-rce
fix(security): ensure updated transitive dep for log4j
2 parents 1616560 + 85dee47 commit 3535b02

File tree

1 file changed

+42
-3
lines changed

1 file changed

+42
-3
lines changed

pom.xml

+42-3
Original file line numberDiff line numberDiff line change
@@ -150,8 +150,8 @@
150150
<artifactId>maven-compiler-plugin</artifactId>
151151
<version>2.3.2</version>
152152
<configuration>
153-
<source>1.6</source>
154-
<target>1.6</target>
153+
<source>1.7</source>
154+
<target>1.7</target>
155155
</configuration>
156156
</plugin>
157157
<plugin>
@@ -164,7 +164,31 @@
164164
<nodeprecated>true</nodeprecated>
165165
</configuration>
166166
</plugin>
167-
</plugins>
167+
168+
<!-- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 -->
169+
<plugin>
170+
<groupId>org.apache.maven.plugins</groupId>
171+
<artifactId>maven-enforcer-plugin</artifactId>
172+
<version>3.0.0</version>
173+
<executions>
174+
<execution>
175+
<id>enforce</id>
176+
<goals>
177+
<goal>enforce</goal>
178+
</goals>
179+
<configuration>
180+
<rules>
181+
<bannedDependencies>
182+
<excludes>
183+
<exclude>org.apache.logging.log4j:log4j-core:(,2.16.0)</exclude>
184+
</excludes>
185+
</bannedDependencies>
186+
</rules>
187+
</configuration>
188+
</execution>
189+
</executions>
190+
</plugin>
191+
</plugins>
168192
</build>
169193
<dependencies>
170194
<dependency>
@@ -221,13 +245,28 @@
221245
<scope>test</scope>
222246
</dependency>
223247
</dependencies>
248+
249+
<dependencyManagement>
250+
<dependencies>
251+
<dependency>
252+
<groupId>org.apache.logging.log4j</groupId>
253+
<artifactId>log4j-bom</artifactId>
254+
<version>${log4j-version}</version>
255+
<scope>import</scope>
256+
<type>pom</type>
257+
</dependency>
258+
</dependencies>
259+
</dependencyManagement>
260+
224261
<properties>
225262
<swagger-annotations-version>1.5.3-M1</swagger-annotations-version>
226263
<jersey-version>1.18</jersey-version>
227264
<jackson-version>2.10.0.pr1</jackson-version>
228265
<jodatime-version>2.3</jodatime-version>
229266
<maven-plugin-version>1.0.0</maven-plugin-version>
230267
<junit-version>4.8.1</junit-version>
268+
<!-- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 -->
269+
<log4j-version>2.16.0</log4j-version>
231270
<!-- github server corresponds to entry in ~/.m2/settings.xml -->
232271
<github.global.server>github</github.global.server>
233272
</properties>

0 commit comments

Comments
 (0)