我可以在Gradle依赖树中看到org.apache.logging.log4j:log4j-core:2.14.0库。
我们没有从外部添加log4j版本。这个版本作为传递依赖从其他JAR或spring-boot-starter中而来。
如何在Gradle中覆盖log4j的版本?
我可以在Gradle依赖树中看到org.apache.logging.log4j:log4j-core:2.14.0库。
我们没有从外部添加log4j版本。这个版本作为传递依赖从其他JAR或spring-boot-starter中而来。
如何在Gradle中覆盖log4j的版本?
首先,要找出你实际使用了哪些与log4j相关的库,例如通过
.\gradlew dependencies --configuration=testRuntimeClasspath | find "log4j"
然后用当前版本覆盖它们,像这样(文档),将其放置在 dependencies
块之后:
configurations.all {
resolutionStrategy {
force 'org.apache.logging.log4j:log4j-api:2.17.0'
force 'org.apache.logging.log4j:log4j-core:2.17.0'
force 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0'
force 'org.apache.logging.log4j:log4j-jul:2.17.0'
}
}
根据一开始的检查结果,您可能需要添加/减少该块中的库。
由于您使用的是Spring Boot,因此还可以使用 Spring-Boot-specific feature 来设置Log4J版本:
ext['log4j2.version'] = '2.17.0'
gradlew dependencies
看到旧版本。 - Joergidependencies {
constraints {
implementation('org.apache.logging.log4j:log4j-api') {
version {
strictly('[2.17, 3[')
prefer('2.17.0')
}
because('CVE-2021-44228, CVE-2021-45046, CVE-2021-45105: Log4j vulnerable to remote code execution and other critical security vulnerabilities')
}
implementation('org.apache.logging.log4j:log4j-core') {
version {
strictly('[2.17, 3[')
prefer('2.17.0')
}
because('CVE-2021-44228, CVE-2021-45046, CVE-2021-45105: Log4j vulnerable to remote code execution and other critical security vulnerabilities')
}
implementation('org.apache.logging.log4j:log4j-slf4j-impl') {
version {
strictly('[2.17, 3[')
prefer('2.17.0')
}
because('CVE-2021-44228, CVE-2021-45046, CVE-2021-45105: Log4j vulnerable to remote code execution and other critical security vulnerabilities')
}
implementation('org.apache.logging.log4j:log4j-web') {
version {
strictly('[2.17, 3[')
prefer('2.17.0')
}
because('CVE-2021-44228, CVE-2021-45046, CVE-2021-45105: Log4j vulnerable to remote code execution and other critical security vulnerabilities')
}
}
}
我正在使用MacOS并使用子项目:
首先我运行:./gradlew projects
,它将列出我的子项目:
输出结果:
:projects
------------------------------------------------------------
Root project
------------------------------------------------------------
Root project 'test-backend'
+--- Project ':test-suite'
+--- Project ':test-suite-services'
\--- Project ':test-utils'
通过输出,我们可以逐个检查依赖关系:
./gradlew test-suite:dependencies | grep "log4j"
./gradlew test-suite-services:dependencies | grep "log4j"
./gradlew test-utils:dependencies | grep "log4j"