Aggarwal-Raghav commented on code in PR #5172:
URL: https://github.com/apache/hive/pull/5172#discussion_r1641639410
##########
beeline/pom.xml:
##########
@@ -276,6 +276,11 @@
<artifactId>maven-shade-plugin.log4j2-cachefile-transformer</artifactId>
<version>2.1</version>
</dependency>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-core</artifactId>
+ <version>${log4j2.version}</version>
+ </dependency>
Review Comment:
Hi @zabetak, you are correct, I want to exclude log4j 2 versions lower than
X.
I tried modifying the enforcement rules to prevent log4j-core less than
2.17.1 (based on
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core) like
this
`<exclude>org.apache.logging.log4j:log4j-core:(,2.17.1)</exclude>`
But there are few problems:
1. Druid-handler still requires log4j 2.8.2 (coming transitively from
druid-server).
2. Even with the enforcement rule, the log4j-core 2.1 coming in beeline
(attached in previous comment snapshot) is not getting captured with this and
still passing. It seems the rule are enforced on maven dependency tree output
and as this beeline log4j-core is not present in dependency tree, it is getting
enforced.
What's next:
1. I can remove this beeline change and update the PR. Then I think the
scope of the PR and work done in PR is aligned for log4j:log4j
2. In description explicitly mention only this beeline pom change.
Let me know if you have any better way to resolve this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
