Merge pull request #19311 Log4j follow up

subprojects/core/src/main/java/org/gradle/api/internal/initialization/DefaultScriptHandler.java

@@ -142,8 +142,8 @@ private void defineConfiguration() {
             attributes.attribute(GradlePluginApiVersion.GRADLE_PLUGIN_API_VERSION_ATTRIBUTE, instantiator.named(GradlePluginApiVersion.class, GradleVersion.current().getVersion()));
 
             classpathConfiguration.getDependencyConstraints().add(dependencyHandler.getConstraints().create(Log4jBannedVersion.LOG4J2_CORE_COORDINATES, constraint -> constraint.version(version -> {
-                version.strictly(Log4jBannedVersion.LOG4J2_CORE_STRICT_VERSION_RANGE);
-                version.prefer(Log4jBannedVersion.LOG4J2_CORE_PREFERRED_VERSION);
+                version.require(Log4jBannedVersion.LOG4J2_CORE_REQUIRED_VERSION);
+                version.reject(Log4jBannedVersion.LOG4J2_CORE_VULNERABLE_VERSION_RANGE);
             })));
         }
     }

subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy

@@ -17,6 +17,7 @@
 package org.gradle.integtests.resolve
 
 import org.gradle.integtests.fixtures.AbstractDependencyResolutionTest
+import org.gradle.integtests.fixtures.ToBeFixedForConfigurationCache
 import org.gradle.test.fixtures.file.LeaksFileHandles
 import spock.lang.Issue
 
@@ -90,9 +91,11 @@ rootProject.name = 'testproject'
         failureHasCause("Conflict(s) found for the following module(s):")
     }
 
+    @ToBeFixedForConfigurationCache(because = ":buildEnvironment")
+    @Issue("gradle/gradle#19300")
     def 'carries implicit constraint for log4j-core'() {
         given:
-        mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '2.15.0').publish()
+        mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '2.16.0').publish()
 
         and:
         settingsFile << """
@@ -116,6 +119,47 @@ rootProject.name = 'testproject'
         """
 
         expect:
-        succeeds 'help'
+        succeeds 'buildEnvironment'
+        outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.16)} -> 2.16.0 (c)')
+    }
+
+    @Issue("gradle/gradle#19300")
+    def 'fails if build attempts to force vulnerable log4j-core'() {
+        given:
+        settingsFile << """
+            rootProject.name = 'testproject'
+        """
+
+        buildFile << """
+            buildscript {
+                repositories { maven { url "${mavenRepo().uri}" } }
+                dependencies {
+                    classpath "org.apache.logging.log4j:log4j-core:2.14.1!!"
+                }
+            }
+        """
+
+        expect:
+        fails 'help'
+        failureCauseContains('Cannot find a version of \'org.apache.logging.log4j:log4j-core\' that satisfies the version constraints')
+    }
+
+    @ToBeFixedForConfigurationCache(because = ":buildEnvironment")
+    @Issue("gradle/gradle#19300")
+    def 'allows to upgrade log4j to 3.x one day'() {
+        given:
+        mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '3.1.0').publish()
+        buildFile << """
+            buildscript {
+                repositories { maven { url "${mavenRepo().uri}" } }
+                dependencies {
+                    classpath "org.apache.logging.log4j:log4j-core:3.1.0"
+                }
+            }
+        """
+
+        expect:
+        succeeds 'buildEnvironment'
+        outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.16)} -> 3.1.0 (c)')
     }
 }

subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java

@@ -22,6 +22,6 @@
  */
 public class Log4jBannedVersion {
     public static final String LOG4J2_CORE_COORDINATES = "org.apache.logging.log4j:log4j-core";
-    public static final String LOG4J2_CORE_STRICT_VERSION_RANGE = "[2.15, 3[";
-    public static final String LOG4J2_CORE_PREFERRED_VERSION = "2.15.0";
+    public static final String LOG4J2_CORE_VULNERABLE_VERSION_RANGE = "[2.0, 2.16)";
+    public static final String LOG4J2_CORE_REQUIRED_VERSION = "2.16.0";
 }

subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy

@@ -244,7 +244,8 @@ task someTask
     }
 
     @ToBeFixedForConfigurationCache(because = ":dependencies")
-    def 'show that log4j-core, if present, is 2_15_0 at the minimum'() {
+    @Issue("gradle/gradle#19300")
+    def 'show that log4j-core, if present, is 2_16_0 at the minimum'() {
         given:
         file('build.gradle') << """
             apply plugin: 'scala'
@@ -255,9 +256,9 @@ task someTask
         def versionPattern = ~/.*-> 2\.(\d+).*/
         expect:
         succeeds('dependencies', '--configuration', 'zinc')
-        def log4jOutput = result.getOutputLineThatContains("log4j-core:{strictly [2.15, 3[; prefer 2.15.0}")
+        def log4jOutput = result.getOutputLineThatContains("log4j-core:{require 2.16.0; reject [2.0, 2.16)}")
         def matcher = log4jOutput =~ versionPattern
         matcher.find()
-        Integer.valueOf(matcher.group(1)) >= 15
+        Integer.valueOf(matcher.group(1)) >= 16
     }
 }

subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java

@@ -156,8 +156,8 @@ private void configureConfigurations(final Project project, final Usage incremen
         });
 
         zinc.getDependencyConstraints().add(dependencyHandler.getConstraints().create(Log4jBannedVersion.LOG4J2_CORE_COORDINATES, constraint -> constraint.version(version -> {
-            version.strictly(Log4jBannedVersion.LOG4J2_CORE_STRICT_VERSION_RANGE);
-            version.prefer(Log4jBannedVersion.LOG4J2_CORE_PREFERRED_VERSION);
+            version.require(Log4jBannedVersion.LOG4J2_CORE_REQUIRED_VERSION);
+            version.reject(Log4jBannedVersion.LOG4J2_CORE_VULNERABLE_VERSION_RANGE);
         })));
 
         final Configuration incrementalAnalysisElements = project.getConfigurations().create("incrementalScalaAnalysisElements");