Log4j vulnerability while using Scala and Spark with sbt
I am working on a scala spark project. I am using below dependencies:
libraryDependencies ++=
Seq(
"org.apache.spark" %% "spark-core" % "2.2.0" ,
"org.apache.spark" %% "spark-sql" % "2.2.0" ,
"org.apache.spark" %% "spark-hive" % "2.2.0"
),
with scalaVersion set to :
ThisBuild / scalaVersion := "2.11.8"
and i am getting below error:
[error] sbt.librarymanagement.ResolveException: unresolved dependency: org.apache.logging.log4j#log4j-api;2.11.1: Resolution failed several times for dependency: org.apache.logging.log4j#log4j-api;2.11.1 {compile=[compile(*), master(*)], runtime=[runtime(*)]}::
[error] typesafe-ivy-releases: unable to get resource for org.apache.logging.log4j#log4j-api;2.11.1: res=https://repo.typesafe.com/typesafe/ivy-releases/org.apache.logging.log4j/log4j-api/2.11.1/ivys/ivy.xml: java.io.IOException: Unexpected response code for CONNECT: 403
[error] sbt-plugin-releases: unable to get resource for org.apache.logging.log4j#log4j-api;2.11.1: res=https://repo.scala-sbt.org/scalasbt/sbt-plugin-releases/org.apache.logging.log4j/log4j-api/2.11.1/ivys/ivy.xml: java.io.IOException: Unexpected response code for CONNECT: 403
Security team has reached out to us to delete the vulnerable log4j-core jar. After which the projects which are using it as transitive dependencies are failing.
Is there a way on just upgrading the log4j version without upgrading scala or spark versions? It should be a way where i can force the compiler to not fetch log4j-core jar of previous version which is vulnerable and in its place can use 2.17.2 version which is not vulnerable.
I have tried :
dependencyOverrides += "org.apache.logging.log4j" % "log4j-core" % "2.17.2"
also i have excludeAll option in sbt with spark dependencies but both solutions didnt worked out for me.
I just made few updates:
Added below settings to my sbt project:
Updated below settings to use a newer version: in build.properties and assembly.sbt respectively
sbt.version=1.6.2
addSbtPlugin("com.eed3si9n" % "sbt-assembly" % "1.1.0")
Added the log4j dependencies on the top so that any transitive dependency now can use a newer version.
Given below is the sample snippet of one of my project:
name := "project name"
version := "0.1"
scalaVersion := "2.11.8"
assemblyJarName in assembly := s"${name.value}-${version.value}.jar"
assemblyShadeRules in assembly := Seq(
ShadeRule.rename("com.google.**" -> "shaded.@1").inAll
)
lazy val root = (project in file(".")).settings(
test in assembly := {}
)
libraryDependencies += "org.apache.logging.log4j" % "log4j-core" % "2.17.2"
libraryDependencies += "org.apache.logging.log4j" % "log4j-api" % "2.17.2"
libraryDependencies += "org.apache.logging.log4j" % "log4j-slf4j-impl" % "2.17.2"
libraryDependencies += "org.apache.spark" %% "spark-sql" % "2.2.0" % "provided"
libraryDependencies += "org.apache.spark" %% "spark-mllib" % "2.2.0" % "provided"
libraryDependencies += "org.scalatest" %% "scalatest" % "3.0.0" % "test"
libraryDependencies += "com.typesafe" % "config" % "1.3.1"
libraryDependencies += "org.scalaj" %% "scalaj-http" % "2.4.0"
Below should be provided only in case of conflicts between dependencies if there are any:
assemblyMergeStrategy in assembly := {
case PathList("META-INF", xs @ _*) => MergeStrategy.discard
case PathList("org", "slf4j", xs@_*) => MergeStrategy.first
case x => MergeStrategy.first
}
- How to convert a java Map to immutable Scala map via java code?
- How to correctly read a CSV file while escaping delimiter comma placed within square brackets using Apache Spark and Scala?
- How to remove an item from a list in Scala having only its index?
- Multiple image operations in a single process with gm4java
- In Scala, how would I update specific items in a Seq using a filter?
- Scala actors as single-threaded queues
- What is the difference between Abstract Data Types and Algebraic Data Types
- How to cancel a future action if another future did failed?
- Manifest and abstract type resolution
- How to keep reference to a created instance of Actor class with Akka?
- Scala: An extension method was tried, but could not be fully constructed (same extension name on multiple classes)
- Doobie - lifting arbitrary effect into ConnectionIO
- Why does Scala not have the concept of checked and unchecked exceptions?
- Trying to create a classic actor from inside of a akka typed application
- How to get a random element from a Set in Scala
- Convert Iterable[Any] to string in scala
- How to create an Instance of a generic class in Scala 3 Metaprogramming
- Removing an element from Seq
- sbt-crossproject publishes jvm project with unexpected name
- Unit Tests Failing when upgrading Flink to 1.18
- Updated scalapb class fails to render old dataframe
- Pattern matching large case classes without referring to unused fields
- Ignoring Certain Scala 2.13 Compiler Options For Build To Succeed
- (De)serialize enum as string in Scala 3
- How to cast an array of struct in a spark dataframe using selectExpr?
- What are the various join types in Spark?
- How to rollback a skunk transaction for integration tests? (missing implicit Origin)
- How do I fix "ambiguous overload" when using Hibernate with Scala?
- Parsing command line arguments as an Array[String] in Scala 3?
- Read a list of s3 data by in scala spark in batches