This is an automated email from the ASF dual-hosted git repository.

yuqi1129 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git


The following commit(s) were added to refs/heads/main by this push:
     new b433b20c8a [#10457][followup]fix(deps): Exclude log4j 1.x globally 
(CVE-2020-9493) (#11506)
b433b20c8a is described below

commit b433b20c8aadd4946523b221c9c031f604cab8cd
Author: Bharath Krishna <[email protected]>
AuthorDate: Tue Jun 9 18:25:04 2026 -0700

    [#10457][followup]fix(deps): Exclude log4j 1.x globally (CVE-2020-9493) 
(#11506)
    
    ### What changes were proposed in this pull request?
    
    Add a global `exclude(group = "log4j", module = "log4j")` in the root
    `configurations.all` block to prevent the vulnerable Log4j 1.x artifact
    from being resolved anywhere in the project.
    
    ### Why are the changes needed?
    
    Hive 2.3.9 and Hadoop 2.10.2 transitively pull in `log4j:log4j:1.2.17`,
    which is vulnerable to
    [CVE-2020-9493](https://nvd.nist.gov/vuln/detail/CVE-2020-9493).
    
    The safe `log4j-1.2-api` bridge from Log4j 2.x is already included in
    the log4j bundle (`libs.versions.toml`), so this exclusion does not
    break any logging functionality. No source files in the project import
    `org.apache.log4j`.
    
    PR #10465 already excludes `log4j` from `hive-metastore2-libs` and
    `hive-metastore3-libs`, but `log4j:log4j:1.2.17` is still resolved as a
    transitive **test** dependency in `catalog-hive` and
    `catalog-lakehouse-paimon` (via Hadoop's `slf4j-log4j12` →
    `log4j:log4j`). It does not end up in the distribution package, but it
    does get downloaded to `~/.gradle/caches/` during builds, triggering
    vulnerability scanners on developer machines.
    
    This global exclusion provides defense-in-depth: it removes the
    vulnerable JAR from all configurations (including test) and prevents
    future modules from accidentally pulling it in.
    
    Followup to #10465.
    
    ### Does this PR introduce _any_ user-facing change?
    
    No. This only removes a vulnerable transitive dependency that is already
    replaced by the `log4j-1.2-api` bridge.
    
    ### How was this patch tested?
    
    1. Verified `./gradlew :catalogs:hive-metastore-common:compileJava
    :catalogs:hive-metastore2-libs:compileJava
    :catalogs:hive-metastore3-libs:compileJava
    :catalogs:catalog-hive:compileJava` passes (BUILD SUCCESSFUL).
    2. Confirmed `log4j:log4j` no longer appears in the dependency tree.
    3. Confirmed zero source imports of `org.apache.log4j` across the entire
    project.
---
 build.gradle.kts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/build.gradle.kts b/build.gradle.kts
index 91cc57796d..26fd64bd1e 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -342,6 +342,10 @@ subprojects {
   configurations.all {
     
resolutionStrategy.force("commons-beanutils:commons-beanutils:$commonsBeanutilsVersion")
     
resolutionStrategy.force("org.xerial.snappy:snappy-java:$snappyJavaVersion")
+
+    // Exclude log4j 1.x (CVE-2020-9493, CVSS 9.8) pulled transitively by Hive 
and Hadoop.
+    // The safe log4j-1.2-api bridge from Log4j 2.x is already included in the 
log4j bundle.
+    exclude(group = "log4j", module = "log4j")
   }
 
   repositories {

Reply via email to