Merge branch 'cherry-pick-log4j' into 'release/0.12'

Upgrade vulnerable dependencies according to WhiteSource alerts See merge request !129

Merge branch 'cherry-pick-log4j' into 'release/0.12'
Upgrade vulnerable dependencies according to WhiteSource alerts See merge request !129
c0d35ae1 · David Diederich · f10340fe · 3500e23d · c0d35ae1 · c0d35ae1
Commit c0d35ae1 authored Dec 13, 2021 by David Diederich
--- a/NOTICE
+++ b/NOTICE
@@ -9,49 +9,49 @@ The following software have components provided under the terms of this license:

 - Apache Commons Codec (from https://commons.apache.org/proper/commons-codec/)
 - Apache Commons Lang (from http://commons.apache.org/proper/commons-lang/)
- Apache Commons Logging (from http://commons.apache.org/proper/commons-logging/)
 - Apache HttpAsyncClient (from http://hc.apache.org/httpcomponents-asyncclient)
- Apache HttpClient (from http://hc.apache.org/httpcomponents-client)
 - Apache HttpClient Cache (from http://hc.apache.org/httpcomponents-client)
 - Apache HttpCore (from http://hc.apache.org/httpcomponents-core-ga)
- Apache HttpCore NIO (from http://hc.apache.org/httpcomponents-core-ga)
 - Apache Log4j API (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api)
 - Apache Log4j to SLF4J Adapter (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-to-slf4j)
+- Apache Lucene (module: backward-codecs) (from https://lucene.apache.org/)
 - Bean Validation API (from http://beanvalidation.org)
- Byte Buddy (without dependencies) (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy)
+- Byte Buddy (without dependencies) (from )
 - Byte Buddy agent (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy-agent)
 - ClassMate (from http://github.com/cowtowncoder/java-classmate)
+- Commons Logging (from http://commons.apache.org/logging/)
 - Elastic JNA Distribution (from https://github.com/java-native-access/jna)
- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
 - FindBugs-jsr305 (from http://findbugs.sourceforge.net/)
 - Google HTTP Client Library for Java (from https://repo1.maven.org/maven2/com/google/http-client/google-http-client)
- Gson (from https://repo1.maven.org/maven2/com/google/code/gson/gson)
+- Gson (from http://code.google.com/p/google-gson/)
 - Guava InternalFutureFailureAccess and InternalFutures (from https://repo1.maven.org/maven2/com/google/guava/failureaccess)
- Guava: Google Core Libraries for Java (from https://repo1.maven.org/maven2/com/google/guava/guava)
+- Guava: Google Core Libraries for Java (from https://github.com/google/guava)
 - HPPC Collections (from https://repo1.maven.org/maven2/com/carrotsearch/hppc)
 - Hibernate Validator Engine (from https://repo1.maven.org/maven2/org/hibernate/validator/hibernate-validator)
+- HttpClient (from http://hc.apache.org/httpcomponents-client)
+- HttpCore NIO (from http://hc.apache.org/httpcomponents-core-ga)
 - J2ObjC Annotations (from https://github.com/google/j2objc/)
 - JBoss Logging 3 (from http://www.jboss.org)
 - JSON Web Token support for the JVM (from https://repo1.maven.org/maven2/io/jsonwebtoken/jjwt)
 - Jackson dataformat: CBOR (from http://github.com/FasterXML/jackson-dataformats-binary)
- Jackson datatype: JSR310 (from https://repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jsr310)
- Jackson datatype: jdk8 (from https://repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jdk8)
+- Jackson-Datatype-JSR310 (from http://wiki.fasterxml.com/JacksonModuleJSR310)
 - Jackson-annotations (from http://github.com/FasterXML/jackson)
- Jackson-core (from http://wiki.fasterxml.com/JacksonHome)
- Jackson-dataformat-Smile (from http://wiki.fasterxml.com/JacksonForSmile)
+- Jackson-core (from https://github.com/FasterXML/jackson-core)
+- Jackson-dataformat-Smile (from )
 - Jackson-dataformat-YAML (from https://github.com/FasterXML/jackson)
- Jackson-module-parameter-names (from https://repo1.maven.org/maven2/com/fasterxml/jackson/module/jackson-module-parameter-names)
+- Jackson-datatype-jdk8 (from )
+- Jackson-module-parameter-names (from )
 - Jakarta Bean Validation API (from https://beanvalidation.org)
+- Jakarta Expression Language 4.0 (from https://projects.eclipse.org/projects/ee4j.el)
 - Java Servlet API (from http://servlet-spec.java.net)
 - Javassist (from http://www.javassist.org/)
- Joda-Time (from https://www.joda.org/joda-time/)
+- Joda-Time (from http://www.joda.org/joda-time/)
 - Lucene Common Analyzers (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-analyzers-common)
- Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
+- Lucene Core (from )
 - Lucene Grouping (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-grouping)
 - Lucene Highlighter (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-highlighter)
 - Lucene Join (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-join)
 - Lucene Memory (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-memory)
- Lucene Memory (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-backward-codecs)
 - Lucene Miscellaneous (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-misc)
 - Lucene Queries (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-queries)
 - Lucene QueryParsers (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-queryparser)
@@ -71,22 +71,16 @@ The following software have components provided under the terms of this license:
 - OpenCensus (from https://github.com/census-instrumentation/opencensus-java)
 - PowerMock (from http://www.powermock.org)
 - PowerMock (from http://www.powermock.org)
- PowerMock (from http://www.powermock.org)
- PowerMock (from http://www.powermock.org)
- SnakeYAML (from http://www.snakeyaml.org)
+- SnakeYAML (from http://code.google.com/p/snakeyaml/)
 - Spring AOP (from https://github.com/spring-projects/spring-framework)
 - Spring Beans (from https://github.com/spring-projects/spring-framework)
- Spring Boot (from http://projects.spring.io/spring-boot/)
- Spring Boot AutoConfigure (from http://projects.spring.io/spring-boot/)
- Spring Boot Json Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-json)
- Spring Boot Logging Starter (from http://projects.spring.io/spring-boot/)
- Spring Boot Starter (from http://projects.spring.io/spring-boot/)
- Spring Boot Tomcat Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-tomcat)
- Spring Boot Web Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-web)
+- Spring Boot Validation Starter (from http://projects.spring.io/spring-boot/)
+- Spring Boot Web Starter (from http://projects.spring.io/spring-boot/)
 - Spring Commons Logging Bridge (from https://github.com/spring-projects/spring-framework)
 - Spring Context (from https://github.com/spring-projects/spring-framework)
 - Spring Core (from https://github.com/spring-projects/spring-framework)
 - Spring Expression Language (SpEL) (from https://github.com/spring-projects/spring-framework)
+- Spring TestContext Framework (from https://github.com/spring-projects/spring-framework)
 - Spring Web (from https://github.com/spring-projects/spring-framework)
 - Spring Web MVC (from https://github.com/spring-projects/spring-framework)
 - T-Digest (from https://github.com/tdunning/t-digest)
@@ -99,19 +93,25 @@ The following software have components provided under the terms of this license:
 - elasticsearch-x-content (from https://github.com/elastic/elasticsearch)
 - error-prone annotations (from https://repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations)
 - io.grpc:grpc-context (from https://github.com/grpc/grpc-java)
- jackson-databind (from http://wiki.fasterxml.com/JacksonHome)
+- jackson-databind (from http://github.com/FasterXML/jackson)
 - javax.inject (from http://code.google.com/p/atinject/)
 - lang-mustache (from https://github.com/elastic/elasticsearch)
- lettuce (from http://github.com/mp911de/lettuce/wiki)
+- lettuce (from http://github.com/lettuce-io/lettuce-core)
 - mapper-extras (from https://github.com/elastic/elasticsearch)
 - parent-join (from https://github.com/elastic/elasticsearch)
+- powermock-core (from http://www.powermock.org)
+- powermock-reflect (from https://repo1.maven.org/maven2/org/powermock/powermock-reflect)
 - rank-eval (from https://github.com/elastic/elasticsearch)
 - rest (from https://github.com/elastic/elasticsearch)
 - rest-high-level (from https://github.com/elastic/elasticsearch)
 - rxjava (from https://github.com/ReactiveX/RxJava)
 - server (from https://github.com/elastic/elasticsearch)
- spring-boot-starter-validation (from https://spring.io/projects/spring-boot)
- spring-test (from https://repo1.maven.org/maven2/org/springframework/spring-test)
+- spring-boot (from https://spring.io/projects/spring-boot)
+- spring-boot-autoconfigure (from https://spring.io/projects/spring-boot)
+- spring-boot-starter (from https://spring.io/projects/spring-boot)
+- spring-boot-starter-json (from https://spring.io/projects/spring-boot)
+- spring-boot-starter-logging (from https://spring.io/projects/spring-boot)
+- spring-boot-starter-tomcat (from https://spring.io/projects/spring-boot)
 - swagger-annotations (from https://repo1.maven.org/maven2/io/swagger/swagger-annotations)
 - swagger-jaxrs (from https://repo1.maven.org/maven2/io/swagger/swagger-jaxrs)
 - tomcat-embed-core (from http://tomcat.apache.org/)
@@ -125,7 +125,7 @@ The following software have components provided under the terms of this license:
 - Hamcrest (from http://hamcrest.org/JavaHamcrest/)
 - Hamcrest Core (from https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core)
 - Lucene Common Analyzers (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-analyzers-common)
- Reflections (from http://github.com/ronmamo/reflections)
+- Reflections (from http://code.google.com/p/reflections/)

 ========================================================================
 BSD-3-Clause
@@ -136,11 +136,11 @@ The following software have components provided under the terms of this license:
 - Hamcrest (from http://hamcrest.org/JavaHamcrest/)
 - Hamcrest Core (from https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core)
 - Lucene Common Analyzers (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-analyzers-common)
- Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
+- Lucene Core (from )
 - Lucene Suggest (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-suggest)
 - Mockito (from http://www.mockito.org)
- Reflections (from http://github.com/ronmamo/reflections)
- SnakeYAML (from http://www.snakeyaml.org)
+- Reflections (from http://code.google.com/p/reflections/)
+- SnakeYAML (from http://code.google.com/p/snakeyaml/)
 - Spring Core (from https://github.com/spring-projects/spring-framework)

 ========================================================================
@@ -163,7 +163,7 @@ CPL-1.0
 ========================================================================
 The following software have components provided under the terms of this license:

- JUnit (from http://junit.org)
+- JUnit (from )
 - System Rules (from http://stefanbirkner.github.io/system-rules/)

 ========================================================================
@@ -171,19 +171,19 @@ EPL-1.0
 ========================================================================
 The following software have components provided under the terms of this license:

- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Logback Classic Module (from http://logback.qos.ch)
- Logback Core Module (from http://logback.qos.ch)
- SnakeYAML (from http://www.snakeyaml.org)
+- Jakarta Expression Language 4.0 (from https://projects.eclipse.org/projects/ee4j.el)
+- Logback Classic Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-classic)
+- Logback Core Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-core)
+- SnakeYAML (from http://code.google.com/p/snakeyaml/)

 ========================================================================
 EPL-2.0
 ========================================================================
 The following software have components provided under the terms of this license:

- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
+- Jakarta Expression Language 4.0 (from https://projects.eclipse.org/projects/ee4j.el)

 ========================================================================
 GPL-2.0-only
@@ -198,15 +198,15 @@ GPL-2.0-or-later
 ========================================================================
 The following software have components provided under the terms of this license:

- SnakeYAML (from http://www.snakeyaml.org)
+- SnakeYAML (from http://code.google.com/p/snakeyaml/)

 ========================================================================
 GPL-2.0-with-classpath-exception
 ========================================================================
 The following software have components provided under the terms of this license:

- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
+- Jakarta Expression Language 4.0 (from https://projects.eclipse.org/projects/ee4j.el)
 - Java Servlet API (from http://servlet-spec.java.net)
 - tomcat-embed-core (from http://tomcat.apache.org/)

@@ -215,9 +215,9 @@ GPL-3.0-only
 ========================================================================
 The following software have components provided under the terms of this license:

- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Project Lombok (from http://projectlombok.org)
+- Jakarta Expression Language 4.0 (from https://projects.eclipse.org/projects/ee4j.el)
+- Project Lombok (from https://projectlombok.org)

 ========================================================================
 LGPL-2.1-only
@@ -226,8 +226,8 @@ The following software have components provided under the terms of this license:

 - Elastic JNA Distribution (from https://github.com/java-native-access/jna)
 - Javassist (from http://www.javassist.org/)
- Logback Classic Module (from http://logback.qos.ch)
- Logback Core Module (from http://logback.qos.ch)
+- Logback Classic Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-classic)
+- Logback Core Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-core)

 ========================================================================
 LGPL-2.1-or-later
@@ -235,7 +235,7 @@ LGPL-2.1-or-later
 The following software have components provided under the terms of this license:

 - Javassist (from http://www.javassist.org/)
- SnakeYAML (from http://www.snakeyaml.org)
+- SnakeYAML (from http://code.google.com/p/snakeyaml/)

 ========================================================================
 LGPL-3.0-only
@@ -249,15 +249,15 @@ MIT
 ========================================================================
 The following software have components provided under the terms of this license:

- Checker Qual (from https://checkerframework.org)
- JOpt Simple (from http://pholser.github.com/jopt-simple)
+- Checker Qual (from )
+- JOpt Simple (from http://jopt-simple.github.io/jopt-simple)
 - JUL to SLF4J bridge (from http://www.slf4j.org)
- Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
+- Lucene Core (from )
 - Mockito (from http://www.mockito.org)
 - Netty/Common (from https://repo1.maven.org/maven2/io/netty/netty-common)
- Project Lombok (from http://projectlombok.org)
+- Project Lombok (from https://projectlombok.org)
 - SLF4J API Module (from http://www.slf4j.org)
- java jwt (from https://github.com/auth0/java-jwt)
+- java jwt (from http://www.jwt.io)

 ========================================================================
 MPL-1.1
@@ -273,36 +273,29 @@ The following software have components provided under the terms of this license:

 - Javassist (from http://www.javassist.org/)

-========================================================================
-SPL-1.0
-========================================================================
-The following software have components provided under the terms of this license:
-
- Checker Qual (from https://checkerframework.org)
-
 ========================================================================
 SunPro
 ========================================================================
 The following software have components provided under the terms of this license:

- Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
+- Lucene Core (from )

 ========================================================================
 WTFPL
 ========================================================================
 The following software have components provided under the terms of this license:

- Reflections (from http://github.com/ronmamo/reflections)
+- Reflections (from http://code.google.com/p/reflections/)

 ========================================================================
 public-domain
 ========================================================================
 The following software have components provided under the terms of this license:

- Guava: Google Core Libraries for Java (from https://repo1.maven.org/maven2/com/google/guava/guava)
+- Guava: Google Core Libraries for Java (from https://github.com/google/guava)
 - HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- Joda-Time (from https://www.joda.org/joda-time/)
- Project Lombok (from http://projectlombok.org)
+- Joda-Time (from http://www.joda.org/joda-time/)
+- Project Lombok (from https://projectlombok.org)
 - Spring Web (from https://github.com/spring-projects/spring-framework)

 ========================================================================
@@ -310,8 +303,8 @@ unknown
 ========================================================================
 The following software have components provided under the terms of this license:

- Byte Buddy (without dependencies) (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy)
- Checker Qual (from https://checkerframework.org)
+- Byte Buddy (without dependencies) (from )
+- Checker Qual (from )
 - System Rules (from http://stefanbirkner.github.io/system-rules/)


--- a/pom.xml
+++ b/pom.xml
@@ -35,6 +35,7 @@
    <netty-bom.version>4.1.63.Final</netty-bom.version>
    <snakeyaml.version>1.26</snakeyaml.version>
    <commons-codec.version>1.14</commons-codec.version>
+    <log4j2.version>2.15.0</log4j2.version>
  </properties>

  <licenses>
@@ -61,6 +62,17 @@
        <type>pom</type>
        <scope>import</scope>
      </dependency>
+
+      <!--<editor-fold desc="Overriding spring-boot-dependencies. Fix: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">-->
+      <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-bom</artifactId>
+        <version>${log4j2.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <!--</editor-fold>-->
+
      <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-dependencies</artifactId>