Re: Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!"


Hi Yingjie,

OK, I tried for myself. From the initial log lines in the Gremlin Console:

SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/tera/lib/janusgraph-full-1.0.0-SNAPSHOT/lib/log4j-slf4j-impl-2.18.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/tera/lib/janusgraph-full-1.0.0-SNAPSHOT/lib/logback-classic-1.2.11.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]

you can see that you alsso have to remove lib/log4j-slf4j-impl-2.18.0.jar

After having done that, you will notice that the hadoop and spark plugins also depend on log4j. You can disable these by
removing the corresponding lines from the ext/plugins.txt file.

It seems the distribution now meets your requirements!

Best wishes,   Marc

Join { to automatically receive all group messages.