We are using spring boot 2.1.5 and starter parent as pom dependency.
Spring boot is using default logback for logging and we haven't explicitly switched to Log4j2 or changes any configurations. Below is our project dependency tree.
We have lot of lombok #log4j2 annotations in our project. But, we find in dependency tree we do not have any log4j2-core jar dependency (that has been found vulnerable to recent issues with log4j).
#Log4j2
#Service
#DependsOn("applicationDependencyCheck")
Is lombok #log4j2 not dependent on log4j2-core.jar. Is it correct to assume this would show up in maven dependency tree or are we missing something.
This is our lombok entry -
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
Please share some insights.
thanks
In lombok documentation you can find it here https://projectlombok.org/api/lombok/extern/log4j/Log4j2.html
#Log4j2 public class LogExample { }
will generate:
public class LogExample {
private static final org.apache.logging.log4j.Logger log = org.apache.logging.log4j.LogManager.getLogger(LogExample.class); }
Both classes are present in log4j API jar
https://logging.apache.org/log4j/2.x/log4j-api/apidocs/org/apache/logging/log4j/LogManager.html
https://logging.apache.org/log4j/2.x/log4j-api/apidocs/org/apache/logging/log4j/Logger.html
There are no known vulnerabilities listed here https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api
As described here https://logging.apache.org/log4j/2.x/log4j-api/index.html log4j api is just an interface.
I think in such case your code does not depend on log4j core. You can double check the output of build (e.g. maven /target folder, war file etc)
Definitely #Mariusz W.'s answer is the best.
Despite that, I notice your print shows dependency from logback-core-1.2.3 [1], which has the CVE-2021-42550 vulnerability [2].
Keep an eye on that.
Related
I've read that I should not open an issue on github so I ask here. I've digged into the code and for example spring-boot-actuator-autoconfigure doesn't define the #Configuration\#AutoConfiguration classes inside META-INF/spring.factories follow the content of the file:
org.springframework.boot.diagnostics.FailureAnalyzer=\
org.springframework.boot.actuate.autoconfigure.metrics.ValidationFailureAnalyzer
I've checked and ValidationFailureAnalyzer is not even annotated with #Configuration\#AutoConfiguration. Then I see the file META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports declaring all the classes #AutoConfiguration follow a little extraction of the file:
org.springframework.boot.actuate.autoconfigure.amqp.RabbitHealthContributorAutoConfiguration
org.springframework.boot.actuate.autoconfigure.audit.AuditAutoConfiguration
org.springframework.boot.actuate.autoconfigure.audit.AuditEventsEndpointAutoConfiguration
org.springframework.boot.actuate.autoconfigure.availability.AvailabilityHealthContributorAutoConfiguration
...
all these classes are annotated with #AutoConfiguration. So far so good If we read the docs they say that:
Spring Boot checks for the presence of a META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports file within your published jar.
Indeed if we import:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
<version>2.7.3</version>
</dependency>
everything works just fine. I'm not skilled with gradle but I don't see any special dependecy in spring-boot-actuator-starter or spring-boot-actuator-autoconfigure.
Searching on google I've found a discussion here where they say:
In Spring Boot v. 2.7 auto-configuration registration is moved from spring.factories to a new file named META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports.
Each line contains the fully qualified name of the auto-configuration.
For backwards compatibility, entries in spring.factories will still be honored.
But honestly I've tryed to move the configuration classes in the new file but the configuration class is not loaded. I've writed an example here.
My org.springframework.boot.autoconfigure.AutoConfiguration.imports file:
com.example.springbootstarterexample.configuration.Config
If I move to the old configuration spring.factries everything works fine.
My #AutoConfiguration class:
#AutoConfiguration(after = JpaRepositoriesAutoConfiguration.class)
//#AutoConfigureAfter(JpaRepositoriesAutoConfiguration.class)
#EnableJpaRepositories(basePackages = "com.example.springbootstarterexample.repository")
#Import({SomeServiceImpl.class, SomeEntityController.class})
public class ExampleAutoConfiguration {
}
am I doing something wrong? why the spring-boot-starter-actuator works and my spring-boot-starter-example dosn't?
Your file is called org.springframework.boot.autoconfigure.AutoConfiguration.import,
and must be org.springframework.boot.autoconfigure.AutoConfiguration.imports (notice the extra s) at the end.
I upgraded my app from spring boot 1.5.9.RELEASE to 2.0.0.RELEASE, and I can no longer import org.springframework.boot.context.embedded.LocalServerPort. I was using this to inject the port the server is running on during a test:
public class Task1Test {
#LocalServerPort
private int port;
The Spring release notes do not mention this removal and #LocalServerPort was not deprecated.
Is there an equivalent in Spring Boot 2.0 that I can use?
Edit: I'm pretty sure that the class is gone. I'm getting these compilation errors:
[ERROR] ... Task1Test.java:[12,49]package org.springframework.boot.context.embedded does not exist
[ERROR] ... Task1Test.java:[46,6] cannot find symbol
symbol: class LocalServerPort
It looks like it was moved to org.springframework.boot.web.server.LocalServerPort without notice. Hope that helps.
It seems it's been moved to spring-boot-starter-web dependency as per this API documentation.
Try adding this maven dependency to see if that fixes it
<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-web -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.0.0.RELEASE</version>
</dependency>
#LocalServerPort is now in
org.springframework.boot.test.web.server.LocalServerPort
Update your imports in the test code.
Relevant link to the Spring boot docs here
https://docs.spring.io/spring-boot/docs/current/api/org/springframework/boot/test/web/server/LocalServerPort.html
the change is notified here
https://docs.spring.io/spring-boot/docs/current/api/org/springframework/boot/web/server/LocalServerPort.html
Note that if you are using the Spring Boot Getting Started guides, the guides are still using the old namespace and hence you will see a build error without an option to fix. You will need to update this manually.
I have this class...
#RestController
#RequestMapping("message")
#AllArgsConstructor(onConstructor = #__(#Autowired))
public class MessageController {
...
}
I have the following dependency in my pom.xml
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.16.10</version>
<scope>provided</scope>
</dependency>
The class has two variables that I'm trying to inject via the constructor, and I'm getting this error on the #AllArgsConstructor line.
"__ cannot be resolved to a type"
Any help is appreciated.
Well, let's assume you're using Eclipse...
As described in lombok documentation, you must install lombok as java agent in your Eclipse:
Eclipse and variants
Run lombok.jar as a java app (i.e. doubleclick
it, usually) to install. Also add lombok.jar to your project.
Supported variants: Springsource Tool Suite, JBoss Developer Studio
If not, take a look at lombok documentation page for instructions for another IDEs .
Hope it helps.
I am working on a simple project as a point of reference for new projects or to try new technologies. The project has Hibernate & Spring capabilities.
I tried to add some anotations for validate fields. Those are the validation which I am using
import javax.validation.constraints.Digits;
import javax.validation.constraints.NotNull;
import javax.validation.constraints.Size;
The problem is that I need javax.validation dependecy and There are a lot of jars which includes those clases but none of Spring or Hibernate.
Which one is the standard?
Note: I check the dependency in the big project and I am using the validation-api
Try the library "Apache Geronimo JSR-303 Bean Validation Spec API", the jar is "geronimo-validation_1.0_spec-1.0-CR5.jar".
Look at this link :
http://www.findjar.com/jar/org/apache/geronimo/specs/geronimo-validation_1.0_spec/1.0-CR5/geronimo-validation_1.0_spec-1.0-CR5.jar.html
Here is maven part to add it :
http://mvnrepository.com/artifact/org.apache.geronimo.specs/geronimo-validation_1.0_spec/1.0-CR5
Use
<dependency>
<groupId>javax.validation</groupId>
<artifactId>validation-api</artifactId>
<version>1.1.0.Final</version>
</dependency>
or
<dependency>
<groupId>javax.validation</groupId>
<artifactId>validation-api</artifactId>
<version>1.0.0.GA</version>
</dependency>
depending on which version of the API you want to use. Note that the API is not enough, of course you also need an implementation (if you don't deploy your application in an Java EE application server). The implementation usually has a transitive dependency on the correct API jar.
We use ivy to manage a multi project java application, and recently this error started showing up when we do builds. What's causing this?
This was fixed by adding the following line to the end of the dependencies section in ivy.xml:
<dependencies>
<exclude module="log4j-over-slf4j" />
</dependencies>
Why was it an issue?
Looks like the log4j bridge for sjf4j has an incomplete implementation
This url explains it in more detail.
It looks like the log4j bridge does not implement the full interface for log4j . If you are still using direct log4j calls, you will need both the slf4j bridge jar and the log4j jar
In your case it looks like you excluded the bridge jar, so all slf4j calls go directly to log4j instead of the bridge.
If your code invokes log4j through the xml file , this will work. However if your code programatically invokes log4j initialization this bridge is not going to work
I know this is a very old question but I wanted to share what worked out fine for me. If you have different artifacts of slf4j-log4j* for two projects that are interdependent on each other, for example spring data jpa and spring MVC, this happens. Keep it consistent or even better have a parent pom. In my case I had slf4j-log4j12 on my spring data jpa project and slf4j-log4j13 on my spring MVC one.
Comment this dependency from the pom.xml
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j13</artifactId>
<version>
</dependency>
And add (or keep) the following one:
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.12</version>
</dependency>
Wherever you see a compile time error regarding Log4j, add the following import:
import org.apache.log4j.Logger;