maven: migrate short-term to reload4j v1.2.18 (#5878)

* maven: migrate short-term to reload4j v1.2.18

This migrate to log4j 1.x fork, reload4j 1.2.18.0 which is drop-in
replacement and addresses some immediate CVE and issues.

* log4j migration to reload4j in pom xmls

Signed-off-by: Rohit Yadav <[email protected]>

* Exclude log4j from transitive dependencies (#73)

Co-authored-by: Marcus Sorensen <[email protected]>
Co-authored-by: Marcus Sorensen <[email protected]>

Author: 3 people

framework/managed-context/pom.xml

@@ -29,9 +29,9 @@
     </parent>
     <dependencies>
         <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
-            <version>${cs.log4j.version}</version>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
+            <version>${cs.reload4j.version}</version>
         </dependency>
     </dependencies>
 </project>

plugins/alert-handlers/snmp-alerts/pom.xml

@@ -33,8 +33,8 @@
             <artifactId>org.apache.servicemix.bundles.snmp4j</artifactId>
         </dependency>
         <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
         </dependency>
     </dependencies>
 </project>

plugins/alert-handlers/syslog-alerts/pom.xml

@@ -29,8 +29,8 @@
     </parent>
     <dependencies>
         <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
         </dependency>
     </dependencies>
 </project>

plugins/hypervisors/ovm3/pom.xml

@@ -44,8 +44,8 @@
             <version>${cs.commons-lang3.version}</version>
         </dependency>
         <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
         </dependency>
     </dependencies>
     <build>

plugins/integrations/kubernetes-service/pom.xml

@@ -86,9 +86,9 @@
             <version>${cs.guava.version}</version>
         </dependency>
         <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
-            <version>${cs.log4j.version}</version>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
+            <version>${cs.reload4j.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>

plugins/network-elements/juniper-contrail/pom.xml

@@ -112,6 +112,12 @@
             <groupId>net.juniper.contrail</groupId>
             <artifactId>juniper-contrail-api</artifactId>
             <version>1.0-SNAPSHOT</version>
+            <exclusions>
+                <exclusion>
+                    <artifactId>log4j</artifactId>
+                    <groupId>log4j</groupId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>mysql</groupId>

plugins/user-authenticators/ldap/pom.xml

@@ -175,6 +175,10 @@
             <version>${ads.version}</version>
             <scope>test</scope>
             <exclusions>
+                <exclusion>
+                    <artifactId>log4j</artifactId>
+                    <groupId>log4j</groupId>
+                </exclusion>
                 <!--
                  shared-ldap-schema module needs to be excluded to avoid multiple schema resources on the classpath
                 -->

pom.xml

@@ -76,7 +76,7 @@
         <cs.clover-maven-plugin.version>4.4.1</cs.clover-maven-plugin.version>
 
         <!-- Logging versions -->
-        <cs.log4j.version>1.2.17</cs.log4j.version>
+        <cs.reload4j.version>1.2.18.4</cs.reload4j.version>
         <cs.log4j.extras.version>1.2.17</cs.log4j.extras.version>
         <cs.logging.version>1.1.1</cs.logging.version>
 
@@ -439,9 +439,9 @@
                 </exclusions>
             </dependency>
             <dependency>
-                <groupId>log4j</groupId>
-                <artifactId>log4j</artifactId>
-                <version>${cs.log4j.version}</version>
+                <groupId>ch.qos.reload4j</groupId>
+                <artifactId>reload4j</artifactId>
+                <version>${cs.reload4j.version}</version>
             </dependency>
             <dependency>
                 <groupId>mysql</groupId>
@@ -618,6 +618,12 @@
                 <groupId>org.owasp.esapi</groupId>
                 <artifactId>esapi</artifactId>
                 <version>2.1.0.1</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>log4j</groupId>
+                        <artifactId>log4j</artifactId>
+                    </exclusion>
+                </exclusions>
             </dependency>
             <!-- Test dependency in mysql for db tests -->
             <dependency>

services/console-proxy/server/pom.xml

@@ -29,8 +29,8 @@
     </parent>
     <dependencies>
         <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
         </dependency>
         <dependency>
             <groupId>com.google.code.gson</groupId>

services/secondary-storage/server/pom.xml

@@ -29,8 +29,8 @@
     </parent>
     <dependencies>
         <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
+            <groupId>ch.qos.reload4j</groupId>
+            <artifactId>reload4j</artifactId>
         </dependency>
         <dependency>
             <groupId>com.google.code.gson</groupId>