In my spring boot application, I'm using log4j2.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
Which is by default picking up version -
<version>2.1.6.RELEASE</version>
This version of log4j2 internally uses log4j:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.11.2</version>
<scope>compile</scope>
</dependency>
Recently it has been announced - log4j has some serious vulnerabilities till version 2.16.
Also no version of log4j2 till now uses safer version - 2.17 of log4j.
So I want to first try to update my pom to use 2.17 version of log4j without changing parent log4j2 version.
I know it might not work & might give compilation issues, but I still want to try it first.
How can I do that?
I would suggest to define log4j via bom file like this:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.17.0</version>
<scope>import</scope>
<type>pom</type>
</dependency>
You can use <dependencyManagement>:
<dependencyManagement>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>[2.17.0,)</version>
</dependency>
</dependencyManagement>
This configures the dependency log4j-core (if it exists) to use version 2.17 or later (see Version Range References).
Put the dependencyManagement section next to your dependencies section.
If you navigate to parent pom.xml(s), you will see spring-boot-dependencies-2.x.x.pom and find following dependency definition.
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>${log4j2.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
So, the version can be overriden and just define your version in your pom.xml as follows.
<properties>
<log4j2.version>2.17.0</log4j2.version>
However, this is a specific solution for Log4j2, so I suggest you modify the title putting "Log4j2".
Related
I am using Apache Maven 3.6.3 & Spring boot 1.5 without micro service Architecture. I am working on a task to remediate vulnerable dependencies currently present in the dependency tree of our project. logback-classic is one of those dependencies. I can change the version of top-level dependencies (in top level pom) but I am not able to upgrade its version from 1.11.1 to 1.2.3 for logback-dependency present in spring-boot-starter-web starter used in one of child POM.
I am able to exclude such versions as-
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.2.0.RELEASE</version>
<exclusions>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</exclusion>
</exclusions>
</dependency>
However, I am not able to update the version of same dependency present in dependency tree of spring-boot-starter-web starter of one of JAR in project. I tried to provide update of version using < dependencyManagement > tag as-
<project>
......
<dependencyManagement>
<dependencies>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.2.3</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.2.0.RELEASE</version>
<exclusions>
<exclusion>
<groupId>ch.quos.logback</groupId>
<artifactId>logback-classic</artifactId>
</exclusion>
</exclusions>
</dependency>
........
</dependencies>
......
<project>
Note- In < dependencyManagement >, initially I tried without < type > & < scope > tags as well but anyhow I am only able to exclude vulnerable logback-classic dependency but I can't update this to 1.2.3 inside spring-boot-starter-web present in that particular child pom.
The Library You Mentioned (Logback-classic) Has Many Compatability Problems Reported
As You Can See Here In The Related Issue On Its Repository
I Recommend That You Try Different Version Of Spring (Newer Ones) And Check The Result
Search Around In The Github Issues For Versions And Updates You Might Find Something
I upgraded the elastic search from version 5.5 to 7.7, everything is working as expected.
But when I try to get the Total hits, I get the following error
searchResponse.getHits().getTotalHits()
The type org.apache.lucene.search.TotalHits cannot be resolved. It is indirectly referenced from required .class files
We are not using the lucene library but still, it says it refers to the lucene,
Any help is appreciated to fix this.
Maven pom.xml :
I have only these two Jars,
<dependency>
<groupId>org.elasticsearch.client</groupId>
<artifactId>transport</artifactId>
<version>7.7.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.11.1</version>
</dependency>
Thanks,
Harry
As mentioned this link, you probably need to add the below dependency:
<repository>
<id>elastic-lucene-snapshots</id>
<name>Elastic Lucene Snapshots</name>
<url>https://s3.amazonaws.com/download.elasticsearch.org/lucenesnapshots/00142c9</url>
<releases><enabled>true</enabled></releases>
<snapshots><enabled>false</enabled></snapshots>
</repository>
Also as per this link, you may also need to add Log4j dependency as well:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.11.1</version>
</dependency>
That should do the trick.
Alternatively you can also add the below lucene dependency with the exact version you can see if you just do http://<hostname>:9200, however I suggest the above approach and go as per their documentation.
<!-- https://mvnrepository.com/artifact/org.apache.lucene/lucene-core -->
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-core</artifactId>
<version>8.5.1</version>
</dependency>
Hope that helps!
I'm trying to use google-vision to fetch text from an image (uploaded to AWS S3) and store it in AWS Dynamo DB. I'm encountering dependency conflicts on jackson-core as both google-api and aws-java-sdk are using two different versions.
Dependency Hierarchy
google-api-client: 1.22.0 uses jackson-core: 2.1.3
google-cloud-vision: 0.22.0-beta uses jackson-core: 2.1.3
aws-java-sdk: 1.11.106 uses jackson-core: 2.6.6
I tried "exclusions" and added explicit dependency in pom.xml to use jackson-core: 2.6.6. Google-vision api works fine with that change. However, AmazonDynamoDBClientBuilder fails with below error:
Exception in thread "main" java.lang.IllegalAccessError: tried to access method com.amazonaws.AmazonWebServiceClient.<init>(Lcom/amazonaws/client/AwsSyncClientParams;)V from class com.amazonaws.services.dynamodbv2.AmazonDynamoDBClientBuilder
at com.amazonaws.services.dynamodbv2.AmazonDynamoDBClientBuilder.build(AmazonDynamoDBClientBuilder.java:60)
at com.amazonaws.services.dynamodbv2.AmazonDynamoDBClientBuilder.build(AmazonDynamoDBClientBuilder.java:26)
at com.amazonaws.client.builder.AwsSyncClientBuilder.build(AwsSyncClientBuilder.java:46)
at com.oneglint.ImageProcessing.AddItem.main(AddItem.java:133)
Following error is displayed when there was version conflict
Exception in thread "main" java.lang.NoSuchMethodError: com.fasterxml.jackson.core.JsonFactory.requiresPropertyOrdering()Z
at com.fasterxml.jackson.databind.ObjectMapper.<init>(ObjectMapper.java:537)
at com.fasterxml.jackson.databind.ObjectMapper.<init>(ObjectMapper.java:448)
at com.amazonaws.partitions.PartitionsLoader.<clinit>(PartitionsLoader.java:51)
at com.amazonaws.regions.RegionMetadataFactory.create(RegionMetadataFactory.java:30)
at com.amazonaws.regions.RegionUtils.initialize(RegionUtils.java:64)
at com.amazonaws.regions.RegionUtils.getRegionMetadata(RegionUtils.java:52)
at com.amazonaws.regions.RegionUtils.getRegion(RegionUtils.java:105)
at com.amazonaws.client.builder.AwsClientBuilder.withRegion(AwsClientBuilder.java:239)
at com.oneglint.ImageProcessing.AddItem.main(AddItem.java:132)
What am I missing here? Thanks for the help..
BTW, I'm using example code from github to achieve this. Here are the links:
DynamoDB example: https://github.com/awsdocs/aws-doc-sdk-examples/tree/master/java/example_code/dynamodb
Google Vision DetectText example: https://github.com/GoogleCloudPlatform/java-docs-samples/blob/master/vision/cloud-client/src/main/java/com/example/vision/Detect.java
Additional Details
Both the examples are working fine if executed as independent projects. The problem occurs ONLY when both PutItem (AWS) & Detect (google-vision) classes are brought together in a single project, with appropriate code changes.
You can only have one version of jackson-core in your project. The easiest way to fix a version is to use <dependencyManagement> to set a version.
Your main problem is that jackson-core: 2.6.6 is not compatible with AmazonDynamoDBClientBuilder. The usual strategy is to try all versions from 2.1.3 to 2.6.6 until one of them works. If not, you can try to find versions of your amazon and google jars that require the same Jackson-core-version. In any case, this stupid and boring try-and-error.
If you do not come to any working solution, you can try to shade classes with maven-shade-plugin (I have not tried this, probably difficult) or you need to change your project in a way that not both dependencies are required.
After a lot of trial and error approach, the issue is finally solved.
It appears that I added multiple versions of aws-java-sdk jars during the process and an opennlp jar was associated with the project for some other module.
I had removed conflicting versions of aws-java-sdk and unnecessary libraries. Also, removed the exclusions and retained only the dependency addition in <dependencymanagement> for jackson-core.
Dependencies in my final pom listed below:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-bom</artifactId>
<version>1.11.106</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.6.6</version>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>com.google.apis</groupId>
<artifactId>google-api-services-vision</artifactId>
<version>v1-rev358-1.22.0</version>
</dependency>
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client</artifactId>
<version>1.22.0</version>
<exclusions>
<exclusion> <!-- exclude an old version of Guava -->
<groupId>com.google.guava</groupId>
<artifactId>guava-jdk5</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>20.0</version>
</dependency>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-vision</artifactId>
<version>0.22.0-beta</version>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-dynamodb</artifactId>
</dependency>
</dependencies>
Hope this helps others..
I have a Maven project which, following a restart, has had a peculiar issue: it reports that there is no version field for one of the dependencies (apache-camel), even though the field is in fact populated. I have checked the pom.xml source, and confirmed that the field is in fact there and populated for all the dependencies. I am uncertain why m2e is saying otherwise. Is this a known issue, and if so, is there a specific fix for it?
The version of the m2e plugin is 1.5.1, and this is the parent POM for the project. Here is the dependencies section of POM file in question:
<dependencies>
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>apache-camel</artifactId>
<type>pom</type>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-parent</artifactId>
<type>pom</type>
<version>1.7.10</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j</artifactId>
<type>pom</type>
<version>2.2</version>
</dependency>
<dependency>
<groupId>org.apache.mina</groupId>
<artifactId>mina-parent</artifactId>
<type>pom</type>
<version>3.0.0-M2</version>
</dependency>
</dependencies>
I had the same problem with m2e saying that the version field was not present.
In my case the version field was not the problem. Actually the problem was, that the dependency was defined twice.
Have you checked if the apache-camel or any other dependency (maybe also from a parent pom) is defined twice?
I have a Java Maven project whose dependencies include slf4j and its log4j adapter.
I manage the versions of log4j, slf4j-log4j12 and slf4j-api to its newest versions according to http://mvnrepository.com and especially the log4j version of 1.2.17 is well over 1.2.12 but I still get the error
SLF4J: This version of SLF4J requires log4j version 1.2.12 or later.
See also http://www.slf4j.org/codes.html#log4j_version
which is totally unclear to me.
My Maven dependency management looks like this:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.jena</groupId>
<artifactId>apache-jena-libs</artifactId>
<type>pom</type>
<version>2.10.0</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.5</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.5</version>
</dependency>
</dependencies>
</dependencyManagement>
How can I get rid of the warning?
P.S.: I also get a java.lang.NoSuchMethodError: org.apache.log4j.Logger.isTraceEnabled().
P.P.S.: Because of your comments I remembered that the program has a "lib" folder which is not included in the classpath by Maven but by Eclipse itself so the conflicting dependencies must lie there. Sorry, I totally forgot that I guess that's my fault for mixing Maven with a lib folder. I guess I must try to convert as much of the libraries to maven dependencies.
The strange thing though is just that even if I edit "Order and Export" to put the Maven dependencies at the top, the problem still occurs.
StaticLoggerBinder code in slf4j-log4j12 which gets loaded very early on performs a check to determine whether the TRACE level is available in log4j. Here is the code:
private StaticLoggerBinder() {
loggerFactory = new Log4jLoggerFactory();
try {
Level level = Level.TRACE;
} catch (NoSuchFieldError nsfe) {
Util.report("This version of SLF4J requires log4j version 1.2.12 or later."+
" See also http://www.slf4j.org/codes.html#log4j_version");
}
}
It seems pretty airtight to me.
It may be that some other dependency is pulling in or actually embeds an earlier version of log4j. Some *-standalone.jar files are known to do that.
Check your class path at deployment time. Are you deploying in an app server? Is an older version of log4j on the server class path? In a java endorsed path?
You should define the <dependency> outside the <dependencyManagement> as the following: -
<dependencyManagement>
<dependencies>
...
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.jena</groupId>
<artifactId>apache-jena-libs</artifactId>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
</dependencies>
Please see Introduction to the Dependency Mechanism: Dependency Management for further information.
I hope this may help.
Changing comment to answer, since it appeared to solve the issue.
This is a classloader problem, maven built it correctly but is missing
for dependencies. Could you try to provide the missing dependencies to
maven? Otherwise I suggest you look in the Eclipse specific
dependencies.