[英]log4j vulnerability - Sleuth dependency
We heard that log4j-core.jar
is vulnerable.我们听说
log4j-core.jar
是易受攻击的。
We noticed that spring-cloud-starter-sleuth
(version 2.2.2.RELEASE) dependency brings a dependency which uses log4j-core.jar
(version 2.13.0) with provided
scope as followed:我们注意到
spring-cloud-starter-sleuth
sleuth(版本 2.2.2.RELEASE)依赖带来了一个使用log4j-core.jar
(版本 2.13.0)的依赖,并provided
scope,如下所示:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${log4j.version}</version>
<scope>provided</scope>
</dependency>
The exact jar that brings the log4j dependency is:带来 log4j 依赖关系的确切 jar 是:
<groupId>io.zipkin.brave</groupId>
<artifactId>brave-context-log4j2</artifactId>
<version>5.10.1</version>
We are not using Zipkin in our code or configurations, just Sleuth.我们没有在我们的代码或配置中使用 Zipkin,只是 Sleuth。
Is our code vulnerable?我们的代码易受攻击吗?
Spring Cloud Sleuth 2.x is not supported anymore and as M. Deinum mentioned Sleuth will not bring these dependencies for you because of the provided
scope. Spring Cloud Sleuth 2.x 不再受支持,正如 M. Deinum 所说,由于
provided
scope,Sleuth 不会为您带来这些依赖项。 You can test this by running gradlew dependencies
or mvn dependency:tree
.您可以通过运行
gradlew dependencies
或mvn dependency:tree
来测试它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.