diff --git a/metadata-dao-impl/kafka-producer/build.gradle b/metadata-dao-impl/kafka-producer/build.gradle index d2577159f17ddd..9c29164e6c1340 100644 --- a/metadata-dao-impl/kafka-producer/build.gradle +++ b/metadata-dao-impl/kafka-producer/build.gradle @@ -15,4 +15,13 @@ dependencies { annotationProcessor externalDependency.lombok testCompile externalDependency.mockito + + constraints { + implementation("org.apache.logging.log4j:log4j-core:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + implementation("org.apache.logging.log4j:log4j-api:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + } } \ No newline at end of file diff --git a/metadata-events/mxe-registration/build.gradle b/metadata-events/mxe-registration/build.gradle index 9160bbeb294126..c6d9bafc2372f0 100644 --- a/metadata-events/mxe-registration/build.gradle +++ b/metadata-events/mxe-registration/build.gradle @@ -13,6 +13,15 @@ dependencies { testCompile project(':metadata-testing:metadata-test-utils') avroOriginal project(path: ':metadata-models', configuration: 'avroSchema') + + constraints { + implementation("org.apache.logging.log4j:log4j-core:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + implementation("org.apache.logging.log4j:log4j-api:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + } } // copy original MXE avro schema from metadata-models to resources diff --git a/metadata-events/mxe-utils-avro-1.7/build.gradle b/metadata-events/mxe-utils-avro-1.7/build.gradle index 80f37a4ddfad3d..0352700b630f3a 100644 --- a/metadata-events/mxe-utils-avro-1.7/build.gradle +++ b/metadata-events/mxe-utils-avro-1.7/build.gradle @@ -7,6 +7,15 @@ dependencies { testCompile externalDependency.gmaDaoApi testCompile project(':metadata-testing:metadata-test-utils') + + constraints { + implementation("org.apache.logging.log4j:log4j-core:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + implementation("org.apache.logging.log4j:log4j-api:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + } } // copy original MXE avro schema from metadata-events to resources diff --git a/metadata-ingestion-examples/common/build.gradle b/metadata-ingestion-examples/common/build.gradle index 7f59e1384b2293..d31f75d607f8e3 100644 --- a/metadata-ingestion-examples/common/build.gradle +++ b/metadata-ingestion-examples/common/build.gradle @@ -17,4 +17,13 @@ dependencies { annotationProcessor externalDependency.lombok runtime externalDependency.logbackClassic + + constraints { + implementation("org.apache.logging.log4j:log4j-core:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + implementation("org.apache.logging.log4j:log4j-api:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + } } diff --git a/metadata-ingestion-examples/kafka-etl/build.gradle b/metadata-ingestion-examples/kafka-etl/build.gradle index 63ad976ca0c408..c00cabb9fbf746 100644 --- a/metadata-ingestion-examples/kafka-etl/build.gradle +++ b/metadata-ingestion-examples/kafka-etl/build.gradle @@ -20,6 +20,15 @@ dependencies { annotationProcessor externalDependency.lombok runtime externalDependency.logbackClassic + + constraints { + implementation("org.apache.logging.log4j:log4j-core:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + implementation("org.apache.logging.log4j:log4j-api:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + } } bootJar { diff --git a/metadata-ingestion-examples/mce-cli/build.gradle b/metadata-ingestion-examples/mce-cli/build.gradle index abab1e51b673e3..f384afe747363d 100644 --- a/metadata-ingestion-examples/mce-cli/build.gradle +++ b/metadata-ingestion-examples/mce-cli/build.gradle @@ -26,6 +26,16 @@ dependencies { annotationProcessor externalDependency.lombok annotationProcessor externalDependency.picocli + + constraints { + implementation("org.apache.logging.log4j:log4j-core:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + implementation("org.apache.logging.log4j:log4j-api:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + } + } bootJar { diff --git a/metadata-io/build.gradle b/metadata-io/build.gradle index d0605353d69f17..39b193b6c2da81 100644 --- a/metadata-io/build.gradle +++ b/metadata-io/build.gradle @@ -45,6 +45,15 @@ dependencies { testCompile project(':test-models') testAnnotationProcessor externalDependency.lombok + + constraints { + implementation("org.apache.logging.log4j:log4j-core:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + implementation("org.apache.logging.log4j:log4j-api:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + } } test { diff --git a/metadata-service/restli-servlet-impl/build.gradle b/metadata-service/restli-servlet-impl/build.gradle index 90835b258c0047..512ca3e51bfa05 100644 --- a/metadata-service/restli-servlet-impl/build.gradle +++ b/metadata-service/restli-servlet-impl/build.gradle @@ -23,6 +23,15 @@ configurations { } dependencies { + constraints { + implementation("org.apache.logging.log4j:log4j-core:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + implementation("org.apache.logging.log4j:log4j-api:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + } + compile project(':metadata-service:restli-api') compile project(path: ':metadata-service:restli-api', configuration: 'dataTemplate') compile project(':li-utils') diff --git a/metadata-testing/metadata-models-test-utils/build.gradle b/metadata-testing/metadata-models-test-utils/build.gradle index 5ea742a61ef5e9..7ea27afddb67e9 100644 --- a/metadata-testing/metadata-models-test-utils/build.gradle +++ b/metadata-testing/metadata-models-test-utils/build.gradle @@ -10,4 +10,13 @@ dependencies { compile externalDependency.jacksonDataBind compile externalDependency.lombok compile externalDependency.neo4jHarness + + constraints { + implementation("org.apache.logging.log4j:log4j-core:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + implementation("org.apache.logging.log4j:log4j-api:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + } } diff --git a/metadata-testing/metadata-test-utils/build.gradle b/metadata-testing/metadata-test-utils/build.gradle index c47b015d04dfc2..f337f1016647dd 100644 --- a/metadata-testing/metadata-test-utils/build.gradle +++ b/metadata-testing/metadata-test-utils/build.gradle @@ -9,4 +9,13 @@ dependencies { compile externalDependency.jacksonDataBind compile externalDependency.lombok compile externalDependency.neo4jHarness + + constraints { + implementation("org.apache.logging.log4j:log4j-core:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + implementation("org.apache.logging.log4j:log4j-api:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + } } diff --git a/metadata-utils/build.gradle b/metadata-utils/build.gradle index 7fff6d930afc30..2f6566aef677ba 100644 --- a/metadata-utils/build.gradle +++ b/metadata-utils/build.gradle @@ -26,4 +26,14 @@ dependencies { testCompile project(':test-models') testCompile project(':metadata-testing:metadata-test-utils') + + constraints { + implementation("org.apache.logging.log4j:log4j-core:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + implementation("org.apache.logging.log4j:log4j-api:2.15.0") { + because("previous versions are vulnerable to CVE-2021-44228") + } + } + } \ No newline at end of file