As we want to solve (easily) all the log4j / logback vulnerabilites we tried to add configuration.all in our build.gradle.kts
configurations.all {
resolutionStrategy.eachDependency {
if (requested.group == "org.apache.logging.log4j" && requested.version!! < "2.16.0") {
useVersion("2.16.0")
because("To avoid RCE vulnerability.")
}
if (requested.group == "ch.qos.logback" && requested.name == "logback-classic" && requested.version!! < "1.2.8") {
useVersion("1.2.8")
because("To avoid RCE vulnerability.")
}
if (requested.group == "ch.qos.logback" && requested.name == "logback-core" && requested.version!! < "1.2.8") {
useVersion("1.2.8")
because("To avoid RCE vulnerability.")
}
}
}
But it only changes the logback-core but not the logback-classic
(if I remove the logback-core it's working for the classic....
I feel a little bit stupid now.
you have to use <= the versions, not <
Than it works as expected
configurations.all {
resolutionStrategy.eachDependency {
if (requested.group == "org.apache.logging.log4j" && requested.version!! <= "2.16.0") {
useVersion("2.16.0")
because("To avoid RCE vulnerability.")
}
if (requested.group == "ch.qos.logback" && requested.name == "logback-classic" && requested.version!! <= "1.2.8") {
useVersion("1.2.8")
because("To avoid RCE vulnerability.")
}
if (requested.group == "ch.qos.logback" && requested.name == "logback-core" && requested.version!! <= "1.2.8") {
useVersion("1.2.8")
because("To avoid RCE vulnerability.")
}
}
}
you can even make it simpler:
configurations.all {
resolutionStrategy.eachDependency {
if (requested.group == "org.apache.logging.log4j" && requested.version!! <= "2.16.0") {
useVersion("2.16.0")
because("To avoid RCE vulnerability.")
}
if (requested.group == "ch.qos.logback" && requested.version!! <= "1.2.8") {
useVersion("1.2.8")
because("To avoid RCE vulnerability.")
}
}
}