how to remove log4j form recursive dependency?

I was trying to remove the log4j dependency from my project which is a huge repository. After having a close look in gradle files I found one of the module refers to the log4j dependency, which I excluded in gradle as shown in below code - exclude group: 'log4j', module: 'log4j'

client {
    exclude group: 'org.slf4j', module: 'slf4j-log4j12'
    exclude group: 'log4j', module: 'log4j'
    exclude group: 'org.mortbay.jetty'
}

After this, I ran a search for log4j jar, and it was not found in entire repository, this is search result in repository -

gunwant@devbox:bdp$ find ./ -regex ".*log4j.*\.jar"
./resources/spark/client-lib/apache-log4j-extras-1.2.17.jar
./resources/cassandra/lib/log4j-over-slf4j-1.7.25.jar
./resources/graph-server/lib/apache-log4j-extras-1.2.17.jar
./resources/log4j-appender/lib/cassandra-log4j-appender-3.1.0.jar
./dse-db/lib/log4j-over-slf4j-1.7.25.jar

But the FOSSA security report on jenkins show log4j vulnerability

enter image description here

This is where I got stuck. I looked again in repository by doing "gradle allDeps" listed all the dependencies, which I found a recursive dependency in hadoop module -

|    |    +--- org.apache.hadoop:hadoop-auth:2.7.1.4
|    |    |    +--- org.slf4j:slf4j-api:1.7.10 -> 1.7.25
|    |    |    +--- commons-codec:commons-codec:1.4 -> 1.15
|    |    |    +--- log4j:log4j:1.2.17
|    |    |    +--- org.apache.httpcomponents:httpclient:4.4.1 -> 4.5.9 (*)
|    |    |    +--- org.apache.directory.server:apacheds-kerberos-codec:2.0.0-M15 -> 2.0.0-M24
|    |    |    |    +--- org.apache.directory.server:apacheds-i18n:2.0.0-M24
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25
|    |    |    |    +--- org.apache.directory.api:api-asn1-api:1.0.0 -> 1.0.3 (*)
|    |    |    |    +--- org.apache.directory.api:api-asn1-ber:1.0.0 -> 1.0.3 (*)
|    |    |    |    +--- org.apache.directory.api:api-i18n:1.0.0 -> 1.0.3
|    |    |    |    +--- org.apache.directory.api:api-ldap-model:1.0.0 -> 1.0.3 (*)
|    |    |    |    +--- org.apache.directory.api:api-util:1.0.0 -> 1.0.3 (*)
|    |    |    |    +--- net.sf.ehcache:ehcache:2.10.4
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.7 -> 1.7.25
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.25
|    |    |    +--- org.apache.zookeeper:zookeeper:3.4.6

and in zookeeper as well -

|    |    |    +--- org.apache.zookeeper:zookeeper:3.4.6
|    |    |    |    +--- org.slf4j:slf4j-api:1.6.1 -> 1.7.25
|    |    |    |    +--- log4j:log4j:1.2.16 -> 1.2.17
|    |    |    |    +--- jline:jline:0.9.94 -> 2.14.6
|    |    |    |    \--- io.netty:netty:3.7.0.Final

My first question is, how come FOSSA is reporting log4j as a vulnerability even though the log4j jar file is not present physically in the repo? I know that FOSSA scans for recursive dependency.

My Second question is, how can we exclude log4j from org.apache.hadoop and org.apache.zookeeper recursive dependency ?

I am sure some one must have solved this issue earlier.


Solution 1:

I would use below but also make sure you add the correct slf4j library to replace the interface ie. log4j-over-slf4j

project.configurations {
        all*.exclude group: 'commons-logging', module: 'commons-logging'
        all*.exclude group: 'log4j', module: 'log4j'
        all*.exclude group: 'org.slf4j', module: 'slf4j-log4j12'
    }
    project.dependencies { 
        implementation "org.slf4j:slf4j-api"
        implementation 'org.slf4j:jcl-over-slf4j'
        implementation 'org.slf4j:log4j-over-slf4j'
    }