Last week CVE (Common Vulnerabilities and Exposures) -2021-44228 in Apache Log4J logging library which is a RCE (Remote Code Execution) class vulnerability was reported.
Log4J is a popular logging library which is open sourced and used by many projects all over the tech space.

Patch and resolvable techniques are already provided in many blogs and websites.

Recently i learned about from banned dependencies from @gunnarmorling’s tweet . Maven’s enforcer plugin can ban certain dependencies using rules.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

<plugin>
      <groupId>org.apache.maven.plugins</groupId>
      <artifactId>maven-enforcer-plugin</artifactId>
      <version>3.0.0</version>
      <executions>
        <execution>
          <id>ban-vulnerable-log4j2-versions</id>
          <phase>validate</phase>
          <goals>
            <goal>enforce</goal>
          </goals>
          <configuration>
            <rules>
              <bannedDependencies>
                <excludes>
                  <exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude>
                </excludes>
                <message>Maven error because -> log4j is vulnerable to remote code execution</message>
              </bannedDependencies>
            </rules>
            <fail>true</fail>
          </configuration>
        </execution>
      </executions>
    </plugin>

here <bannedDependencies> rule enforces to exclude any log4j dependency to get excluded if its not 2.15.0 or greater. searchTransitive is by default true so it will check transitive dependencies and apply this rule for them.

On gradle there are constraints that can help to do similar rule enforcement for excluding vulnerable dependencies from project. That i learned from @CedricChampeau tweet.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

dependencies {
	constraints {
    	implementations ("org.apache.logging.log4j:log4j-core") {
        	version {
            	strictly("[2.15,3[")
                prefer("2.15.0")
            }
            because("Maven error because -> log4j is vulnerable to remote code execution)
        }
    }
}