Yicong-Huang opened a new pull request, #6199: URL: https://github.com/apache/texera/pull/6199
### What changes were proposed in this PR? `log4j:log4j` 1.2.17 is pulled in transitively by Hadoop/ZooKeeper (declared in `common/workflow-core` and `amber`) and shipped in the dists of amber, computing-unit-managing-service, file-service, and workflow-compiling-service. log4j 1.x is EOL — none of its open CVEs have a fixed 1.x release; the remediation is moving to log4j 2.x. Since the 2.x line lives under a different Maven coordinate (`org.apache.logging.log4j`), a plain version bump isn't possible. This PR follows the Apache log4j migration path: | Before | After | | --- | --- | | `log4j:log4j` 1.2.17 | excluded build-wide (`ThisBuild / excludeDependencies`, root `build.sbt`) | | — | `log4j-1.2-api` 2.26.1 + `log4j-to-slf4j` 2.26.1 in `common/workflow-core` | The bridges keep Hadoop/ZooKeeper's `org.apache.log4j` API calls working, routing them through the log4j 2 API into slf4j and on to logback (the existing Dropwizard logging backend). All affected services inherit the bridges through `workflow-core`. ### Any related issues, documentation, discussions? Resolves the six open Dependabot security alerts on `log4j:log4j`: | Alert | CVE | Severity | | --- | --- | --- | | [#726](https://github.com/apache/texera/security/dependabot/726) | CVE-2023-26464 | high | | [#670](https://github.com/apache/texera/security/dependabot/670) | CVE-2019-17571 | critical | | [#663](https://github.com/apache/texera/security/dependabot/663) | CVE-2022-23307 | critical | | [#650](https://github.com/apache/texera/security/dependabot/650) | CVE-2022-23305 | critical | | [#649](https://github.com/apache/texera/security/dependabot/649) | CVE-2022-23302 | high | | [#648](https://github.com/apache/texera/security/dependabot/648) | CVE-2021-4104 | high | ### How was this PR tested? Dependency-only change; existing CI compile/test stacks cover it. Verified resolution locally: ``` sbt --batch "show WorkflowCore/Runtime/externalDependencyClasspath" \ "show WorkflowExecutionService/Runtime/externalDependencyClasspath" ``` - `log4j-1.2.17.jar` no longer appears on any resolved classpath. - `log4j-1.2-api-2.26.1.jar`, `log4j-api-2.26.1.jar`, `log4j-to-slf4j-2.26.1.jar` are resolved. ### Was this PR authored or co-authored using generative AI tooling? Generated-by: Claude Code (Claude Fable 5) 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
