Re: Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!"
hadoopmarc@...
Hi Yingjie,
OK, I tried for myself. From the initial log lines in the Gremlin Console:
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/tera/lib/janusgraph-full-1.0.0-SNAPSHOT/lib/log4j-slf4j-impl-2.18.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/tera/lib/janusgraph-full-1.0.0-SNAPSHOT/lib/logback-classic-1.2.11.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
you can see that you alsso have to remove lib/log4j-slf4j-impl-2.18.0.jar
After having done that, you will notice that the hadoop and spark plugins also depend on log4j. You can disable these by
removing the corresponding lines from the ext/plugins.txt file.
It seems the distribution now meets your requirements!
Best wishes, Marc
OK, I tried for myself. From the initial log lines in the Gremlin Console:
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/tera/lib/janusgraph-full-1.0.0-SNAPSHOT/lib/log4j-slf4j-impl-2.18.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/tera/lib/janusgraph-full-1.0.0-SNAPSHOT/lib/logback-classic-1.2.11.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
you can see that you alsso have to remove lib/log4j-slf4j-impl-2.18.0.jar
After having done that, you will notice that the hadoop and spark plugins also depend on log4j. You can disable these by
removing the corresponding lines from the ext/plugins.txt file.
It seems the distribution now meets your requirements!
Best wishes, Marc