Upgrade log4j-core on Zinc classpath

This makes sure a log4j vulnerable version is not available for Zinc compilation even though it is actually not used by default. Issue #19328
gradle · Dec 16, 2021 · 59d95fc · 59d95fc
1 parent 354b0d3
commit 59d95fc
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 0 deletions.
diff --git a/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.gradle.internal.logging.util;
+
+/**
+ * This class contains references to log4j-core which had a critical vulnerability,
+ * see <a url="https://nvd.nist.gov/vuln/detail/CVE-2021-44228">CVE-2021-44228</a>.
+ */
+public class Log4jBannedVersion {
+    public static final String LOG4J2_CORE_COORDINATES = "org.apache.logging.log4j:log4j-core";
+    public static final String LOG4J2_CORE_STRICT_VERSION_RANGE = "[2.15, 3[";
+    public static final String LOG4J2_CORE_PREFERRED_VERSION = "2.15.0";
+}
diff --git a/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy b/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy
@@ -259,4 +259,22 @@ task someTask
         succeeds("assemble")
         succeeds("dependencyInsight", "--configuration", "zinc", "--dependency", "zinc")
     }
+
+    @ToBeFixedForConfigurationCache(because = ":dependencies")
+    def 'show that log4j-core, if present, is 2_15_0 at the minimum'() {
+        given:
+        file('build.gradle') << """
+            apply plugin: 'scala'
+
+            ${mavenCentralRepository()}
+        """
+
+        def versionPattern = ~/.*-> 2\.(\d+).*/
+        expect:
+        succeeds('dependencies', '--configuration', 'zinc')
+        def log4jOutput = result.getOutputLineThatContains("log4j-core:{strictly [2.15, 3[; prefer 2.15.0}")
+        def matcher = log4jOutput =~ versionPattern
+        matcher.find()
+        Integer.valueOf(matcher.group(1)) >= 15
+    }
 }
diff --git a/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java b/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java
@@ -55,6 +55,7 @@
 import org.gradle.api.tasks.scala.IncrementalCompileOptions;
 import org.gradle.api.tasks.scala.ScalaCompile;
 import org.gradle.api.tasks.scala.ScalaDoc;
+import org.gradle.internal.logging.util.Log4jBannedVersion;
 import org.gradle.jvm.tasks.Jar;
 import org.gradle.language.scala.internal.toolchain.DefaultScalaToolProvider;
 
@@ -148,6 +149,11 @@ private void configureConfigurations(final Project project, final Usage incremen
             });
         });
 
+        zinc.getDependencyConstraints().add(dependencyHandler.getConstraints().create(Log4jBannedVersion.LOG4J2_CORE_COORDINATES, constraint -> constraint.version(version -> {
+            version.strictly(Log4jBannedVersion.LOG4J2_CORE_STRICT_VERSION_RANGE);
+            version.prefer(Log4jBannedVersion.LOG4J2_CORE_PREFERRED_VERSION);
+        })));
+
         final Configuration incrementalAnalysisElements = project.getConfigurations().create("incrementalScalaAnalysisElements");
         incrementalAnalysisElements.setVisible(false);
         incrementalAnalysisElements.setDescription("Incremental compilation analysis files");