From ff8dc42cce557b940a3546a47a10a0c0c1a34006 Mon Sep 17 00:00:00 2001
From: Nikita Pande <37657012+nikita15p@users.noreply.github.com>
Date: Tue, 13 Aug 2024 19:46:52 +0530
Subject: [PATCH] HBASE-28532 Remove vulnerable dependencies: slf4j-log4j12 and
 log4j:log4j (#142)

Signed-off-by: Duo Zhang <zhangduo@apache.org>
Signed-off-by: Nihal Jain <nihaljain@apache.org>
Reviewed-by: Peng Lu <lupeng_nwpu@qq.com>
---
 hbase-hbck2/pom.xml          | 24 ++++++++++++++++++++++++
 hbase-table-reporter/pom.xml | 14 ++++++++++----
 hbase-tools/pom.xml          | 24 ++++++++++++++++++++++++
 pom.xml                      |  3 ++-
 4 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/hbase-hbck2/pom.xml b/hbase-hbck2/pom.xml
index 3876daddcd..1d572253fe 100644
--- a/hbase-hbck2/pom.xml
+++ b/hbase-hbck2/pom.xml
@@ -68,6 +68,12 @@
       <artifactId>hbase-server</artifactId>
       <version>${hbase.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.hbase</groupId>
@@ -75,6 +81,12 @@
       <version>${hbase.version}</version>
       <type>test-jar</type>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.hbase</groupId>
@@ -82,6 +94,12 @@
       <version>${hbase.version}</version>
       <type>test-jar</type>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.hbase</groupId>
@@ -89,6 +107,12 @@
       <version>${hbase.version}</version>
       <type>test-jar</type>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.hbase</groupId>
diff --git a/hbase-table-reporter/pom.xml b/hbase-table-reporter/pom.xml
index 1cedca723b..64cdfd1e1e 100644
--- a/hbase-table-reporter/pom.xml
+++ b/hbase-table-reporter/pom.xml
@@ -42,17 +42,23 @@
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>
-      <version>1.7.25</version>
+      <version>${slf4j.version}</version>
     </dependency>
     <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-log4j12</artifactId>
-      <version>1.7.25</version>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-slf4j-impl</artifactId>
+      <version>${log4j2.version}</version>
     </dependency>
     <dependency>
       <groupId>org.apache.hbase</groupId>
       <artifactId>hbase-shaded-client</artifactId>
       <version>${hbase.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.datasketches</groupId>
diff --git a/hbase-tools/pom.xml b/hbase-tools/pom.xml
index 7a803605a9..55ef075bd6 100644
--- a/hbase-tools/pom.xml
+++ b/hbase-tools/pom.xml
@@ -58,12 +58,24 @@
       <artifactId>hbase-server</artifactId>
       <version>${hbase.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.hbase</groupId>
       <artifactId>hbase-shaded-testing-util</artifactId>
       <version>${hbase.version}</version>
       <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.hbase</groupId>
@@ -71,6 +83,12 @@
       <version>${hbase.version}</version>
       <type>test-jar</type>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.hbase</groupId>
@@ -78,6 +96,12 @@
       <version>${hbase.version}</version>
       <type>test-jar</type>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.hbase</groupId>
diff --git a/pom.xml b/pom.xml
index 3e05590ee5..3ec62435b0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -129,7 +129,8 @@
     <spotless.version>2.27.2</spotless.version>
     <hbase.version>2.4.4</hbase.version>
     <hbase-thirdparty.version>2.2.1</hbase-thirdparty.version>
-    <log4j2.version>2.17.1</log4j2.version>
+    <log4j2.version>2.17.2</log4j2.version>
+    <slf4j.version>1.7.33</slf4j.version>
     <surefire.provider>surefire-junit47</surefire.provider>
     <test.output.tofile>true</test.output.tofile>
     <checkstyle.version>8.45.1</checkstyle.version>