fix(security): update ranger commons & dependencies for security vulns (

#6577)

* fix(security): update ranger commons & dependencies for security vulns

build.gradle

@@ -79,6 +79,7 @@ project.ext.externalDependency = [
     'hadoopClient': 'org.apache.hadoop:hadoop-client:3.2.1',
     'hadoopCommon':'org.apache.hadoop:hadoop-common:2.7.2',
     'hadoopMapreduceClient':'org.apache.hadoop:hadoop-mapreduce-client-core:2.7.2',
+    'hadoopCommon3':'org.apache.hadoop:hadoop-common:3.3.4',
     'hibernateCore': 'org.hibernate:hibernate-core:5.2.16.Final',
     'httpClient': 'org.apache.httpcomponents:httpclient:4.5.9',
     'httpAsyncClient': 'org.apache.httpcomponents:httpasyncclient:4.1.5',
@@ -106,6 +107,8 @@ project.ext.externalDependency = [
     'kafkaAvroSerializer': 'io.confluent:kafka-avro-serializer:5.1.4',
     'kafkaClients': 'org.apache.kafka:kafka-clients:2.3.0',
     'logbackClassic': 'ch.qos.logback:logback-classic:1.2.9',
+    'log4jCore': 'org.apache.logging.log4j:log4j-core:2.19.0',
+    'log4jApi': 'org.apache.logging.log4j:log4j-api:2.19.0',
     'lombok': 'org.projectlombok:lombok:1.18.12',
     'mariadbConnector': 'org.mariadb.jdbc:mariadb-java-client:2.6.0',
     'mavenArtifact': "org.apache.maven:maven-artifact:$mavenVersion",
@@ -135,6 +138,7 @@ project.ext.externalDependency = [
     'playPac4j': 'org.pac4j:play-pac4j_2.12:8.0.2',
     'postgresql': 'org.postgresql:postgresql:42.3.3',
     'protobuf': 'com.google.protobuf:protobuf-java:3.19.3',
+    'rangerCommons': 'org.apache.ranger:ranger-plugins-common:2.3.0',
     'reflections': 'org.reflections:reflections:0.9.9',
     'resilience4j': 'io.github.resilience4j:resilience4j-retry:1.7.1',
     'rythmEngine': 'org.rythmengine:rythm-engine:1.3.0',
@@ -180,7 +184,16 @@ configure(subprojects.findAll {! it.name.startsWith('spark-lineage') }) {
 
   configurations.all {
     exclude group: "io.netty", module: "netty"
-    exclude group: "log4j", module: "log4j"
+    exclude group: "org.springframework.boot", module: "spring-boot-starter-logging"
+    exclude group: "ch.qos.logback", module: "logback-classic"
+    exclude group: "org.apache.logging.log4j", module: "log4j-to-slf4j"
+    exclude group: "com.vaadin.external.google", module: "android-json"
+    exclude group: "org.slf4j", module: "slf4j-reload4j"
+    exclude group: "org.slf4j", module: "slf4j-log4j12"
+    exclude group: "org.slf4j", module: "slf4j-nop"
+    exclude group: "org.slf4j", module: "slf4j-ext"
+    exclude group: "org.slf4j", module: "jul-to-slf4j"
+    exclude group: "org.slf4j", module: "jcl-over-toslf4j"
   }
 }
 

datahub-ranger-plugin/build.gradle

@@ -24,8 +24,11 @@ compileJava {
 }
 
 dependencies {
-    implementation 'org.apache.ranger:ranger-plugins-common:2.3.0'
-    compile 'org.apache.logging.log4j:log4j-1.2-api:2.17.1'
+    implementation(externalDependency.rangerCommons) {
+        exclude group: "org.apache.htrace", module: "htrace-core4"
+    }
+    implementation externalDependency.hadoopCommon3
+    implementation externalDependency.log4jApi
 
     testCompile externalDependency.testng
 }

ingestion-scheduler/build.gradle

@@ -12,10 +12,10 @@ dependencies {
     testAnnotationProcessor externalDependency.lombok
 
     constraints {
-        implementation("org.apache.logging.log4j:log4j-core:2.17.0") {
+        implementation(externalDependency.log4jCore) {
             because("previous versions are vulnerable to CVE-2021-45105")
         }
-        implementation("org.apache.logging.log4j:log4j-api:2.17.0") {
+        implementation(externalDependency.log4jApi) {
             because("previous versions are vulnerable to CVE-2021-45105")
         }
     }

metadata-dao-impl/kafka-producer/build.gradle

@@ -14,12 +14,12 @@ dependencies {
   annotationProcessor externalDependency.lombok
 
   testCompile externalDependency.mockito
-  
+
   constraints {
-    implementation("org.apache.logging.log4j:log4j-core:2.17.0") {
+    implementation(externalDependency.log4jCore) {
         because("previous versions are vulnerable to CVE-2021-45105")
     }
-    implementation("org.apache.logging.log4j:log4j-api:2.17.0") {
+    implementation(externalDependency.log4jApi) {
         because("previous versions are vulnerable to CVE-2021-45105")
     }
   }

metadata-events/mxe-registration/build.gradle

@@ -12,12 +12,12 @@ dependencies {
   testCompile project(':test-models')
 
   avroOriginal project(path: ':metadata-models', configuration: 'avroSchema')
-  
+
   constraints {
-    implementation("org.apache.logging.log4j:log4j-core:2.17.0") {
+    implementation(externalDependency.log4jCore) {
         because("previous versions are vulnerable to CVE-2021-45105")
     }
-    implementation("org.apache.logging.log4j:log4j-api:2.17.0") {
+    implementation(externalDependency.log4jApi) {
         because("previous versions are vulnerable to CVE-2021-45105")
     }
   }

metadata-events/mxe-utils-avro-1.7/build.gradle

@@ -8,10 +8,10 @@ dependencies {
   testCompile project(':test-models')
 
   constraints {
-    implementation("org.apache.logging.log4j:log4j-core:2.17.0") {
+    implementation(externalDependency.log4jCore) {
         because("previous versions are vulnerable to CVE-2021-45105")
     }
-    implementation("org.apache.logging.log4j:log4j-api:2.17.0") {
+    implementation(externalDependency.log4jApi) {
         because("previous versions are vulnerable to CVE-2021-45105")
     }
   }

metadata-io/build.gradle

@@ -60,10 +60,10 @@ dependencies {
   testAnnotationProcessor externalDependency.lombok
 
   constraints {
-    implementation("org.apache.logging.log4j:log4j-core:2.17.0") {
+    implementation(externalDependency.log4jCore) {
         because("previous versions are vulnerable to CVE-2021-45105")
     }
-    implementation("org.apache.logging.log4j:log4j-api:2.17.0") {
+    implementation(externalDependency.log4jApi) {
         because("previous versions are vulnerable to CVE-2021-45105")
     }
   }

metadata-service/auth-ranger-impl/build.gradle

@@ -8,7 +8,11 @@ compileJava {
 dependencies {
     compile project(path: ':metadata-service:auth-api')
 
-    implementation 'org.apache.ranger:ranger-plugins-common:2.3.0'
+    implementation(externalDependency.rangerCommons) {
+        exclude group: "org.apache.htrace", module: "htrace-core4"
+    }
+    implementation externalDependency.hadoopCommon3
+
     implementation 'org.apache.logging.log4j:log4j-1.2-api:2.17.1'
     implementation 'rome:rome:1.0'
     runtimeOnly externalDependency.jna

metadata-service/restli-servlet-impl/build.gradle

@@ -24,10 +24,10 @@ configurations {
 
 dependencies {
   constraints {
-    implementation("org.apache.logging.log4j:log4j-core:2.17.0") {
-        because("previous versions are vulnerable to CVE-2021-45105") 
+    implementation(externalDependency.log4jCore) {
+        because("previous versions are vulnerable to CVE-2021-45105")
     }
-    implementation("org.apache.logging.log4j:log4j-api:2.17.0") {
+    implementation(externalDependency.log4jApi) {
         because("previous versions are vulnerable to CVE-2021-45105")
     }
   }
@@ -44,6 +44,8 @@ dependencies {
   compile externalDependency.neo4jJavaDriver
   compile externalDependency.opentelemetryAnnotations
 
+  runtimeOnly externalDependency.logbackClassic
+
   annotationProcessor externalDependency.lombok
 
   testCompile project(':test-models')

metadata-utils/build.gradle

@@ -25,10 +25,10 @@ dependencies {
   testCompile project(':test-models')
 
   constraints {
-      implementation("org.apache.logging.log4j:log4j-core:2.17.0") {
+      implementation(externalDependency.log4jCore) {
           because("previous versions are vulnerable to CVE-2021-45105")
       }
-      implementation("org.apache.logging.log4j:log4j-api:2.17.0") {
+      implementation(externalDependency.log4jApi) {
         because("previous versions are vulnerable to CVE-2021-45105")
     }
   }