fix: use 2.16.0 log4j version and ban all 2.x versions which are < 2.16.0 (#3382)

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly: - [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/java-bigtable-hbase/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [ ] Ensure the tests and linter pass - [ ] Code coverage does not decrease (if any source code was changed) - [ ] Appropriate docs were updated (if necessary) Fixes #<issue_number_goes_here> ☕️

Author: mutianf

bigtable-dataflow-parent/bigtable-beam-import/pom.xml

@@ -169,6 +169,11 @@ limitations under the License.
  <artifactId>slf4j-api</artifactId>
  <version>${slf4j.version}</version>
  </dependency>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-api</artifactId>
+ <version>${log4j2.version}</version>
+ </dependency>
  <!-- https://mvnrepository.com/artifact/com.google.cloud.bigdataoss/gcs-connector -->
  <dependency>
  <groupId>com.google.cloud.bigdataoss</groupId>
@@ -398,6 +403,10 @@ limitations under the License.
  <usedDependency>org.apache.beam:beam-runners-direct-java
  </usedDependency>
  </usedDependencies>
+ <ignoredUnusedDeclaredDependencies>
+ <!-- log4j-api dependency is added to enforce log4j versions with CVE fixes -->
+ <ignoredUnusedDeclaredDependency>org.apache.logging.log4j:log4j-api</ignoredUnusedDeclaredDependency>
+ </ignoredUnusedDeclaredDependencies>
  </configuration>
  </plugin>
 

bigtable-dataflow-parent/bigtable-hbase-beam/pom.xml

@@ -82,7 +82,11 @@ limitations under the License.
  <artifactId>slf4j-api</artifactId>
  <version>${slf4j.version}</version>
  </dependency>
-
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-api</artifactId>
+ <version>${log4j2.version}</version>
+ </dependency>
  <!-- TODO: remove this dependency when upgraded through transitive dependency (beam-sdks-java-core)
  this is not used directly, but upgrading due to transitive vulnerabilities in older versions-->
  <dependency>
@@ -247,6 +251,10 @@ limitations under the License.
  org.apache.beam:beam-sdks-java-io-hbase
  </usedDependency>
  </usedDependencies>
+ <ignoredUnusedDeclaredDependencies>
+ <!-- log4j-api dependency is added to enforce log4j versions with CVE fixes -->
+ <ignoredUnusedDeclaredDependency>org.apache.logging.log4j:log4j-api</ignoredUnusedDeclaredDependency>
+ </ignoredUnusedDeclaredDependencies>
  </configuration>
  </plugin>
  </plugins>

pom.xml

@@ -62,6 +62,7 @@ limitations under the License.
  <slf4j.version>1.7.25</slf4j.version>
  <commons-logging.version>1.2</commons-logging.version>
  <jsr305.version>3.0.2</jsr305.version>
+ <log4j2.version>2.16.0</log4j2.version>
 
  <!-- hbase dependency versions -->
  <hbase.version.1>1.4.12</hbase.version.1>
@@ -262,6 +263,28 @@ limitations under the License.
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-dependency-plugin</artifactId>
  </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-enforcer-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>enforce-banned-deps</id>
+ <goals>
+ <goal>enforce</goal>
+ </goals>
+ <configuration>
+ <rules>
+ <!-- ban all log4j 2.x deps with CVEs -->
+ <bannedDependencies>
+ <excludes>
+ <exclude>org.apache.logging.log4j:*:[2.0-alpha1,2.15.0]</exclude>
+ </excludes>
+ </bannedDependencies>
+ </rules>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
  </plugins>
  </build>
 </project>