Add constraint for log4j-core version

This constraint makes sure that no vulnerable log4j-core version is made
available on buildscript classpath directly or through plugin
dependencies.

Fixes #19300

subprojects/core/src/main/java/org/gradle/api/internal/initialization/DefaultScriptHandler.java

@@ -39,6 +39,7 @@
 import org.gradle.groovy.scripts.ScriptSource;
 import org.gradle.internal.classloader.ClasspathUtil;
 import org.gradle.internal.classpath.ClassPath;
+import org.gradle.internal.logging.util.Log4jBannedVersion;
 import org.gradle.internal.metaobject.BeanDynamicObject;
 import org.gradle.internal.metaobject.DynamicObject;
 import org.gradle.internal.resource.ResourceLocation;
@@ -98,9 +99,6 @@ public ClassPath getNonInstrumentedScriptClassPath() {
     @Override
     public DependencyHandler getDependencies() {
         defineConfiguration();
-        if (dependencyHandler == null) {
-            dependencyHandler = dependencyResolutionServices.getDependencyHandler();
-        }
         return dependencyHandler;
     }
 
@@ -128,6 +126,9 @@ private void defineConfiguration() {
         if (configContainer == null) {
             configContainer = dependencyResolutionServices.getConfigurationContainer();
         }
+        if (dependencyHandler == null) {
+            dependencyHandler = dependencyResolutionServices.getDependencyHandler();
+        }
         if (classpathConfiguration == null) {
             classpathConfiguration = configContainer.create(CLASSPATH_CONFIGURATION);
             // should ideally reuse the `JvmEcosystemUtilities` but this code is too low level
@@ -139,6 +140,11 @@ private void defineConfiguration() {
             attributes.attribute(Bundling.BUNDLING_ATTRIBUTE, instantiator.named(Bundling.class, Bundling.EXTERNAL));
             attributes.attribute(TargetJvmVersion.TARGET_JVM_VERSION_ATTRIBUTE, Integer.parseInt(JavaVersion.current().getMajorVersion()));
             attributes.attribute(GradlePluginApiVersion.GRADLE_PLUGIN_API_VERSION_ATTRIBUTE, instantiator.named(GradlePluginApiVersion.class, GradleVersion.current().getVersion()));
+
+            classpathConfiguration.getDependencyConstraints().add(dependencyHandler.getConstraints().create(Log4jBannedVersion.LOG4J2_CORE_COORDINATES, constraint -> constraint.version(version -> {
+                version.strictly(Log4jBannedVersion.LOG4J2_CORE_STRICT_VERSION_RANGE);
+                version.prefer(Log4jBannedVersion.LOG4J2_CORE_PREFERRED_VERSION);
+            })));
         }
     }
 

subprojects/core/src/test/groovy/org/gradle/api/internal/initialization/DefaultScriptHandlerTest.groovy

@@ -17,6 +17,8 @@ package org.gradle.api.internal.initialization
 
 import org.gradle.api.artifacts.Configuration
 import org.gradle.api.artifacts.ConfigurationContainer
+import org.gradle.api.artifacts.DependencyConstraintSet
+import org.gradle.api.artifacts.dsl.DependencyConstraintHandler
 import org.gradle.api.artifacts.dsl.DependencyHandler
 import org.gradle.api.artifacts.dsl.RepositoryHandler
 import org.gradle.api.attributes.Bundling
@@ -35,6 +37,8 @@ import spock.lang.Specification
 class DefaultScriptHandlerTest extends Specification {
     def repositoryHandler = Mock(RepositoryHandler)
     def dependencyHandler = Mock(DependencyHandler)
+    def dependencyConstraintHandler = Mock(DependencyConstraintHandler)
+    def dependencyConstraintSet = Mock(DependencyConstraintSet)
     def configurationContainer = Mock(ConfigurationContainer)
     def configuration = Mock(Configuration)
     def scriptSource = Stub(ScriptSource)
@@ -57,11 +61,16 @@ class DefaultScriptHandlerTest extends Specification {
 
         then:
         1 * depMgmtServices.configurationContainer >> configurationContainer
+        1 * depMgmtServices.dependencyHandler >> dependencyHandler
         1 * configurationContainer.create('classpath') >> configuration
         1 * configuration.attributes >> attributes
         1 * attributes.attribute(Usage.USAGE_ATTRIBUTE, _ as Usage)
         1 * attributes.attribute(Bundling.BUNDLING_ATTRIBUTE, _ as Bundling)
         1 * attributes.attribute(TargetJvmVersion.TARGET_JVM_VERSION_ATTRIBUTE, _)
+        1 * configuration.getDependencyConstraints() >> dependencyConstraintSet
+        1 * dependencyConstraintSet.add(_)
+        1 * dependencyHandler.getConstraints() >> dependencyConstraintHandler
+        1 * dependencyConstraintHandler.create(_, _)
         0 * configurationContainer._
         0 * depMgmtServices._
     }
@@ -73,12 +82,16 @@ class DefaultScriptHandlerTest extends Specification {
 
         then:
         1 * depMgmtServices.configurationContainer >> configurationContainer
+        1 * depMgmtServices.dependencyHandler >> dependencyHandler
         1 * configurationContainer.create('classpath') >> configuration
         1 * configuration.attributes >> attributes
         1 * attributes.attribute(Usage.USAGE_ATTRIBUTE, _ as Usage)
         1 * attributes.attribute(Bundling.BUNDLING_ATTRIBUTE, _ as Bundling)
         1 * attributes.attribute(TargetJvmVersion.TARGET_JVM_VERSION_ATTRIBUTE, _)
-        1 * depMgmtServices.dependencyHandler >> dependencyHandler
+        1 * configuration.getDependencyConstraints() >> dependencyConstraintSet
+        1 * dependencyConstraintSet.add(_)
+        1 * dependencyHandler.getConstraints() >> dependencyConstraintHandler
+        1 * dependencyConstraintHandler.create(_, _)
         0 * configurationContainer._
         0 * depMgmtServices._
     }
@@ -107,11 +120,16 @@ class DefaultScriptHandlerTest extends Specification {
 
         and:
         1 * depMgmtServices.configurationContainer >> configurationContainer
+        1 * depMgmtServices.dependencyHandler >> dependencyHandler
         1 * configurationContainer.create('classpath') >> configuration
         1 * configuration.attributes >> attributes
         1 * attributes.attribute(Usage.USAGE_ATTRIBUTE, _ as Usage)
         1 * attributes.attribute(TargetJvmVersion.TARGET_JVM_VERSION_ATTRIBUTE, _)
         1 * attributes.attribute(Bundling.BUNDLING_ATTRIBUTE, _ as Bundling)
+        1 * configuration.getDependencyConstraints() >> dependencyConstraintSet
+        1 * dependencyConstraintSet.add(_)
+        1 * dependencyHandler.getConstraints() >> dependencyConstraintHandler
+        1 * dependencyConstraintHandler.create(_, _)
         1 * classpathResolver.resolveClassPath(configuration) >> classpath
     }
 
@@ -151,6 +169,10 @@ class DefaultScriptHandlerTest extends Specification {
         1 * attributes.attribute(Usage.USAGE_ATTRIBUTE, _ as Usage)
         1 * attributes.attribute(Bundling.BUNDLING_ATTRIBUTE, _ as Bundling)
         1 * attributes.attribute(TargetJvmVersion.TARGET_JVM_VERSION_ATTRIBUTE, _)
+        1 * configuration.getDependencyConstraints() >> dependencyConstraintSet
+        1 * dependencyConstraintSet.add(_)
+        1 * dependencyHandler.getConstraints() >> dependencyConstraintHandler
+        1 * dependencyConstraintHandler.create(_, _)
         1 * dependencyHandler.add('config', 'dep')
     }
 }

subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy

@@ -89,4 +89,33 @@ rootProject.name = 'testproject'
         fails "help"
         failureHasCause("Conflict(s) found for the following module(s):")
     }
+
+    def 'carries implicit constraint for log4j-core'() {
+        given:
+        mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '2.15.0').publish()
+
+        and:
+        settingsFile << """
+            buildscript {
+                repositories { maven { url "${mavenRepo().uri}" } }
+                dependencies {
+                    classpath "org.apache.logging.log4j:log4j-core"
+                }
+            }
+
+            rootProject.name = 'testproject'
+        """
+
+        buildFile << """
+            buildscript {
+                repositories { maven { url "${mavenRepo().uri}" } }
+                dependencies {
+                    classpath "org.apache.logging.log4j:log4j-core"
+                }
+            }
+        """
+
+        expect:
+        succeeds 'help'
+    }
 }