diff --git a/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java new file mode 100644 index 000000000000..f919d27615f9 --- /dev/null +++ b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java @@ -0,0 +1,27 @@ +/* + * Copyright 2021 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.gradle.internal.logging.util; + +/** + * This class contains references to log4j-core which had a critical vulnerability, + * see CVE-2021-44228. + */ +public class Log4jBannedVersion { + public static final String LOG4J2_CORE_COORDINATES = "org.apache.logging.log4j:log4j-core"; + public static final String LOG4J2_CORE_STRICT_VERSION_RANGE = "[2.15, 3["; + public static final String LOG4J2_CORE_PREFERRED_VERSION = "2.15.0"; +} diff --git a/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy b/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy index cfdc013193d9..46904c37c3c8 100644 --- a/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy +++ b/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy @@ -259,4 +259,22 @@ task someTask succeeds("assemble") succeeds("dependencyInsight", "--configuration", "zinc", "--dependency", "zinc") } + + @ToBeFixedForConfigurationCache(because = ":dependencies") + def 'show that log4j-core, if present, is 2_15_0 at the minimum'() { + given: + file('build.gradle') << """ + apply plugin: 'scala' + + ${mavenCentralRepository()} + """ + + def versionPattern = ~/.*-> 2\.(\d+).*/ + expect: + succeeds('dependencies', '--configuration', 'zinc') + def log4jOutput = result.getOutputLineThatContains("log4j-core:{strictly [2.15, 3[; prefer 2.15.0}") + def matcher = log4jOutput =~ versionPattern + matcher.find() + Integer.valueOf(matcher.group(1)) >= 15 + } } diff --git a/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java b/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java index 670f114fac2c..b8a6de995e2f 100644 --- a/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java +++ b/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java @@ -55,6 +55,7 @@ import org.gradle.api.tasks.scala.IncrementalCompileOptions; import org.gradle.api.tasks.scala.ScalaCompile; import org.gradle.api.tasks.scala.ScalaDoc; +import org.gradle.internal.logging.util.Log4jBannedVersion; import org.gradle.jvm.tasks.Jar; import org.gradle.language.scala.internal.toolchain.DefaultScalaToolProvider; @@ -148,6 +149,11 @@ private void configureConfigurations(final Project project, final Usage incremen }); }); + zinc.getDependencyConstraints().add(dependencyHandler.getConstraints().create(Log4jBannedVersion.LOG4J2_CORE_COORDINATES, constraint -> constraint.version(version -> { + version.strictly(Log4jBannedVersion.LOG4J2_CORE_STRICT_VERSION_RANGE); + version.prefer(Log4jBannedVersion.LOG4J2_CORE_PREFERRED_VERSION); + }))); + final Configuration incrementalAnalysisElements = project.getConfigurations().create("incrementalScalaAnalysisElements"); incrementalAnalysisElements.setVisible(false); incrementalAnalysisElements.setDescription("Incremental compilation analysis files");