diff --git a/subprojects/core/src/main/java/org/gradle/api/internal/initialization/DefaultScriptHandler.java b/subprojects/core/src/main/java/org/gradle/api/internal/initialization/DefaultScriptHandler.java index 9f035ca63fa5..39f90458b713 100644 --- a/subprojects/core/src/main/java/org/gradle/api/internal/initialization/DefaultScriptHandler.java +++ b/subprojects/core/src/main/java/org/gradle/api/internal/initialization/DefaultScriptHandler.java @@ -134,8 +134,8 @@ private void defineConfiguration() { attributes.attribute(TargetJvmVersion.TARGET_JVM_VERSION_ATTRIBUTE, Integer.parseInt(JavaVersion.current().getMajorVersion())); classpathConfiguration.getDependencyConstraints().add(dependencyHandler.getConstraints().create(Log4jBannedVersion.LOG4J2_CORE_COORDINATES, constraint -> constraint.version(version -> { - version.strictly(Log4jBannedVersion.LOG4J2_CORE_STRICT_VERSION_RANGE); - version.prefer(Log4jBannedVersion.LOG4J2_CORE_PREFERRED_VERSION); + version.require(Log4jBannedVersion.LOG4J2_CORE_REQUIRED_VERSION); + version.reject(Log4jBannedVersion.LOG4J2_CORE_VULNERABLE_VERSION_RANGE); }))); } } diff --git a/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy b/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy index 9e33134f68ab..41b70ba816a4 100644 --- a/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy +++ b/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy @@ -17,7 +17,9 @@ package org.gradle.integtests.resolve import org.gradle.integtests.fixtures.AbstractDependencyResolutionTest +import org.gradle.integtests.fixtures.ToBeFixedForConfigurationCache import org.gradle.test.fixtures.file.LeaksFileHandles +import spock.lang.Issue class ScriptDependencyResolveIntegrationTest extends AbstractDependencyResolutionTest { @LeaksFileHandles("Puts gradle user home in integration test dir") @@ -61,9 +63,11 @@ task check { succeeds "check" } + @ToBeFixedForConfigurationCache(because = ":buildEnvironment") + @Issue("gradle/gradle#19328") def 'carries implicit constraint for log4j-core'() { given: - mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '2.15.0').publish() + mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '2.16.0').publish() and: settingsFile << """ @@ -87,6 +91,47 @@ task check { """ expect: - succeeds 'help' + succeeds 'buildEnvironment' + outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.15[} -> 2.16.0 (c)') + } + + @Issue("gradle/gradle#19328") + def 'fails if build attempts to force vulnerable log4j-core'() { + given: + settingsFile << """ + rootProject.name = 'testproject' + """ + + buildFile << """ + buildscript { + repositories { maven { url "${mavenRepo().uri}" } } + dependencies { + classpath "org.apache.logging.log4j:log4j-core:2.14.1!!" + } + } + """ + + expect: + fails 'help' + failureCauseContains('Cannot find a version of \'org.apache.logging.log4j:log4j-core\' that satisfies the version constraints') + } + + @ToBeFixedForConfigurationCache(because = ":buildEnvironment") + @Issue("gradle/gradle#19328") + def 'allows to upgrade log4j to 3.x one day'() { + given: + mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '3.1.0').publish() + buildFile << """ + buildscript { + repositories { maven { url "${mavenRepo().uri}" } } + dependencies { + classpath "org.apache.logging.log4j:log4j-core:3.1.0" + } + } + """ + + expect: + succeeds 'buildEnvironment' + outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.15[} -> 3.1.0 (c)') } } diff --git a/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java index f919d27615f9..0ebb71f69a1f 100644 --- a/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java +++ b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java @@ -23,5 +23,6 @@ public class Log4jBannedVersion { public static final String LOG4J2_CORE_COORDINATES = "org.apache.logging.log4j:log4j-core"; public static final String LOG4J2_CORE_STRICT_VERSION_RANGE = "[2.15, 3["; - public static final String LOG4J2_CORE_PREFERRED_VERSION = "2.15.0"; + public static final String LOG4J2_CORE_VULNERABLE_VERSION_RANGE = "[2.0, 2.15["; + public static final String LOG4J2_CORE_REQUIRED_VERSION = "2.16.0"; } diff --git a/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java b/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java index b8a6de995e2f..18fba0c465a9 100644 --- a/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java +++ b/subprojects/scala/src/main/java/org/gradle/api/plugins/scala/ScalaBasePlugin.java @@ -151,7 +151,7 @@ private void configureConfigurations(final Project project, final Usage incremen zinc.getDependencyConstraints().add(dependencyHandler.getConstraints().create(Log4jBannedVersion.LOG4J2_CORE_COORDINATES, constraint -> constraint.version(version -> { version.strictly(Log4jBannedVersion.LOG4J2_CORE_STRICT_VERSION_RANGE); - version.prefer(Log4jBannedVersion.LOG4J2_CORE_PREFERRED_VERSION); + version.prefer(Log4jBannedVersion.LOG4J2_CORE_REQUIRED_VERSION); }))); final Configuration incrementalAnalysisElements = project.getConfigurations().create("incrementalScalaAnalysisElements");