log4j 漏洞 - Sleuth 依赖
[英]log4j vulnerability - Sleuth dependency
问题描述
We heard that log4j-core.jar is vulnerable.
我们听说log4j-core.jar是易受攻击的。
We noticed that spring-cloud-starter-sleuth (version 2.2.2.RELEASE) dependency brings a dependency which uses log4j-core.jar (version 2.13.0) with provided scope as followed:我们注意到spring-cloud-starter-sleuth sleuth(版本 2.2.2.RELEASE)依赖带来了一个使用log4j-core.jar (版本 2.13.0)的依赖,并provided scope,如下所示:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${log4j.version}</version>
<scope>provided</scope>
</dependency>
The exact jar that brings the log4j dependency is:带来 log4j 依赖关系的确切 jar 是:
<groupId>io.zipkin.brave</groupId>
<artifactId>brave-context-log4j2</artifactId>
<version>5.10.1</version>
We are not using Zipkin in our code or configurations, just Sleuth.我们没有在我们的代码或配置中使用 Zipkin,只是 Sleuth。
Is our code vulnerable?我们的代码易受攻击吗?
1 个解决方案
解决方案1
0 2021-12-13 22:32:22
Spring Cloud Sleuth 2.x is not supported anymore and as M. Deinum mentioned Sleuth will not bring these dependencies for you because of the provided scope. Spring Cloud Sleuth 2.x 不再受支持,正如 M. Deinum 所说,由于provided scope,Sleuth 不会为您带来这些依赖项。 You can test this by running gradlew dependencies or mvn dependency:tree .您可以通过运行gradlew dependencies或mvn dependency:tree来测试它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.