From 2f91c8ed36cf63f14aae1ceb34a1c46f5a11afe1 Mon Sep 17 00:00:00 2001 From: Louis Jacomet Date: Tue, 14 Dec 2021 18:23:56 +0100 Subject: [PATCH 1/4] Rework buildscript classpath log4j fix This now uses a combination of require and reject instead of a strictly, which will allow updates beyond the 2.x line. The previous solution was effectively preventing that with no way for the user to change that. Issue #19300 --- .../initialization/DefaultScriptHandler.java | 4 +- ...iptDependencyResolveIntegrationTest.groovy | 48 ++++++++++++++++++- .../logging/util/Log4jBannedVersion.java | 3 +- .../api/plugins/scala/ScalaBasePlugin.java | 2 +- 4 files changed, 51 insertions(+), 6 deletions(-) diff --git a/subprojects/core/src/main/java/org/gradle/api/internal/initialization/DefaultScriptHandler.java b/subprojects/core/src/main/java/org/gradle/api/internal/initialization/DefaultScriptHandler.java index 9cb94f169399..01f8bc0c71ad 100644 --- a/subprojects/core/src/main/java/org/gradle/api/internal/initialization/DefaultScriptHandler.java +++ b/subprojects/core/src/main/java/org/gradle/api/internal/initialization/DefaultScriptHandler.java @@ -142,8 +142,8 @@ private void defineConfiguration() { attributes.attribute(GradlePluginApiVersion.GRADLE_PLUGIN_API_VERSION_ATTRIBUTE, instantiator.named(GradlePluginApiVersion.class, GradleVersion.current().getVersion())); classpathConfiguration.getDependencyConstraints().add(dependencyHandler.getConstraints().create(Log4jBannedVersion.LOG4J2_CORE_COORDINATES, constraint -> constraint.version(version -> { - version.strictly(Log4jBannedVersion.LOG4J2_CORE_STRICT_VERSION_RANGE); - version.prefer(Log4jBannedVersion.LOG4J2_CORE_PREFERRED_VERSION); + version.require(Log4jBannedVersion.LOG4J2_CORE_REQUIRED_VERSION); + version.reject(Log4jBannedVersion.LOG4J2_CORE_VULNERABLE_VERSION_RANGE); }))); } } diff --git a/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy b/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy index 56259604d1b2..c7235022ca7f 100644 --- a/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy +++ b/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy @@ -17,6 +17,7 @@ package org.gradle.integtests.resolve import org.gradle.integtests.fixtures.AbstractDependencyResolutionTest +import org.gradle.integtests.fixtures.ToBeFixedForConfigurationCache import org.gradle.test.fixtures.file.LeaksFileHandles import spock.lang.Issue @@ -90,9 +91,11 @@ rootProject.name = 'testproject' failureHasCause("Conflict(s) found for the following module(s):") } + @ToBeFixedForConfigurationCache(because = ":buildEnvironment") + @Issue("gradle/gradle#19300") def 'carries implicit constraint for log4j-core'() { given: - mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '2.15.0').publish() + mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '2.16.0').publish() and: settingsFile << """ @@ -116,6 +119,47 @@ rootProject.name = 'testproject' """ expect: - succeeds 'help' + succeeds 'buildEnvironment' + outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.15[} -> 2.16.0 (c)') + } + + @Issue("gradle/gradle#19300") + def 'fails if build attempts to force vulnerable log4j-core'() { + given: + settingsFile << """ + rootProject.name = 'testproject' + """ + + buildFile << """ + buildscript { + repositories { maven { url "${mavenRepo().uri}" } } + dependencies { + classpath "org.apache.logging.log4j:log4j-core:2.14.1!!" + } + } + """ + + expect: + fails 'help' + failureCauseContains('Cannot find a version of \'org.apache.logging.log4j:log4j-core\' that satisfies the version constraints') + } + + @ToBeFixedForConfigurationCache(because = ":buildEnvironment") + @Issue("gradle/gradle#19300") + def 'allows to upgrade log4j to 3.x one day'() { + given: + mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '3.1.0').publish() + buildFile << """ + buildscript { + repositories { maven { url "${mavenRepo().uri}" } } + dependencies { + classpath "org.apache.logging.log4j:log4j-core:3.1.0" + } + } + """ + + expect: + succeeds 'buildEnvironment' + outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.15[} -> 3.1.0 (c)') } } diff --git a/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java index f919d27615f9..0ebb71f69a1f 100644 --- a/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java +++ b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java @@ -23,5 +23,6 @@ public class Log4jBannedVersion { public static final String LOG4J2_CORE_COORDINATES = "org.apache.logging.log4j:log4j-core"; public static final String LOG4J2_CORE_STRICT_VERSION_RANGE = "[2.15, 3["; - public static final String LOG4J2_CORE_PREFERRED_VERSION = "2.15.0"; + public static final String LOG4J2_CORE_VULNERABLE_VERSION_RANGE = "[2.0, 2.15["; + public static final String LOG4J2_CORE_REQUIRED_VERSION = "2.16.0"; } diff --git a/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java b/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java index 1b38244f3ec5..a1ede2cc31b9 100644 --- a/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java +++ b/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java @@ -157,7 +157,7 @@ private void configureConfigurations(final Project project, final Usage incremen zinc.getDependencyConstraints().add(dependencyHandler.getConstraints().create(Log4jBannedVersion.LOG4J2_CORE_COORDINATES, constraint -> constraint.version(version -> { version.strictly(Log4jBannedVersion.LOG4J2_CORE_STRICT_VERSION_RANGE); - version.prefer(Log4jBannedVersion.LOG4J2_CORE_PREFERRED_VERSION); + version.prefer(Log4jBannedVersion.LOG4J2_CORE_REQUIRED_VERSION); }))); final Configuration incrementalAnalysisElements = project.getConfigurations().create("incrementalScalaAnalysisElements"); From 53f3d205eb6edaa374ff4bb400af14acf141a20e Mon Sep 17 00:00:00 2001 From: Louis Jacomet Date: Tue, 14 Dec 2021 18:30:14 +0100 Subject: [PATCH 2/4] Rework Zinc log4j fix This now uses a combination of require and reject instead of a strictly, which will allow updates beyond the 2.x line. The previous solution was effectively preventing that with no way for the user to change that. Issue #19300 --- .../gradle/internal/logging/util/Log4jBannedVersion.java | 1 - .../org/gradle/scala/ScalaPluginIntegrationTest.groovy | 7 ++++--- .../java/org/gradle/api/plugins/scala/ScalaBasePlugin.java | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java index 0ebb71f69a1f..c10202cd343a 100644 --- a/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java +++ b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java @@ -22,7 +22,6 @@ */ public class Log4jBannedVersion { public static final String LOG4J2_CORE_COORDINATES = "org.apache.logging.log4j:log4j-core"; - public static final String LOG4J2_CORE_STRICT_VERSION_RANGE = "[2.15, 3["; public static final String LOG4J2_CORE_VULNERABLE_VERSION_RANGE = "[2.0, 2.15["; public static final String LOG4J2_CORE_REQUIRED_VERSION = "2.16.0"; } diff --git a/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy b/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy index 834b770dd59a..8344a1e84541 100644 --- a/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy +++ b/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy @@ -244,7 +244,8 @@ task someTask } @ToBeFixedForConfigurationCache(because = ":dependencies") - def 'show that log4j-core, if present, is 2_15_0 at the minimum'() { + @Issue("gradle/gradle#19300") + def 'show that log4j-core, if present, is 2_16_0 at the minimum'() { given: file('build.gradle') << """ apply plugin: 'scala' @@ -255,9 +256,9 @@ task someTask def versionPattern = ~/.*-> 2\.(\d+).*/ expect: succeeds('dependencies', '--configuration', 'zinc') - def log4jOutput = result.getOutputLineThatContains("log4j-core:{strictly [2.15, 3[; prefer 2.15.0}") + def log4jOutput = result.getOutputLineThatContains("log4j-core:{require 2.16.0; reject [2.0, 2.15[}") def matcher = log4jOutput =~ versionPattern matcher.find() - Integer.valueOf(matcher.group(1)) >= 15 + Integer.valueOf(matcher.group(1)) >= 16 } } diff --git a/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java b/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java index a1ede2cc31b9..6a3a67e60c45 100644 --- a/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java +++ b/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java @@ -156,8 +156,8 @@ private void configureConfigurations(final Project project, final Usage incremen }); zinc.getDependencyConstraints().add(dependencyHandler.getConstraints().create(Log4jBannedVersion.LOG4J2_CORE_COORDINATES, constraint -> constraint.version(version -> { - version.strictly(Log4jBannedVersion.LOG4J2_CORE_STRICT_VERSION_RANGE); - version.prefer(Log4jBannedVersion.LOG4J2_CORE_REQUIRED_VERSION); + version.require(Log4jBannedVersion.LOG4J2_CORE_REQUIRED_VERSION); + version.reject(Log4jBannedVersion.LOG4J2_CORE_VULNERABLE_VERSION_RANGE); }))); final Configuration incrementalAnalysisElements = project.getConfigurations().create("incrementalScalaAnalysisElements"); From 0122afa6f354cef5b15df7c47610386b5694c267 Mon Sep 17 00:00:00 2001 From: Louis Jacomet Date: Tue, 14 Dec 2021 21:25:09 +0100 Subject: [PATCH 3/4] Mark Log4j 2.15 as vulnerable Follows publication of https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 Issue #19300 --- .../org/gradle/internal/logging/util/Log4jBannedVersion.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java index c10202cd343a..0ebbd9d00642 100644 --- a/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java +++ b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java @@ -22,6 +22,6 @@ */ public class Log4jBannedVersion { public static final String LOG4J2_CORE_COORDINATES = "org.apache.logging.log4j:log4j-core"; - public static final String LOG4J2_CORE_VULNERABLE_VERSION_RANGE = "[2.0, 2.15["; + public static final String LOG4J2_CORE_VULNERABLE_VERSION_RANGE = "[2.0, 2.16)"; public static final String LOG4J2_CORE_REQUIRED_VERSION = "2.16.0"; } From dc0ffd3bdd7efa8034a0aa8deb6c7b685632bd1b Mon Sep 17 00:00:00 2001 From: Louis Jacomet Date: Tue, 14 Dec 2021 22:00:54 +0100 Subject: [PATCH 4/4] Fix tests following changes to constraint Issue #19300 --- .../resolve/ScriptDependencyResolveIntegrationTest.groovy | 4 ++-- .../groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy b/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy index c7235022ca7f..f253edd20f2d 100644 --- a/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy +++ b/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy @@ -120,7 +120,7 @@ rootProject.name = 'testproject' expect: succeeds 'buildEnvironment' - outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.15[} -> 2.16.0 (c)') + outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.16)} -> 2.16.0 (c)') } @Issue("gradle/gradle#19300") @@ -160,6 +160,6 @@ rootProject.name = 'testproject' expect: succeeds 'buildEnvironment' - outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.15[} -> 3.1.0 (c)') + outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.16)} -> 3.1.0 (c)') } } diff --git a/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy b/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy index 8344a1e84541..f080df65d86e 100644 --- a/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy +++ b/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy @@ -256,7 +256,7 @@ task someTask def versionPattern = ~/.*-> 2\.(\d+).*/ expect: succeeds('dependencies', '--configuration', 'zinc') - def log4jOutput = result.getOutputLineThatContains("log4j-core:{require 2.16.0; reject [2.0, 2.15[}") + def log4jOutput = result.getOutputLineThatContains("log4j-core:{require 2.16.0; reject [2.0, 2.16)}") def matcher = log4jOutput =~ versionPattern matcher.find() Integer.valueOf(matcher.group(1)) >= 16