We are using hadoop-hdfs 3.2.1 jar and it has a transitive dependency on log4j 1.2.17 . In our central NexusIQ scan, it's giving a level 9 issue for log4j dependency. Is there a way to override log4j to log4j2 or any other solution. I tried dependency management but there is no jar in log4j2 with artifact id log4j to override the transitive dependency.
Asked
Active
Viewed 4,119 times
2 Answers
1
Short answer: no that's not possible. You don't have a way of overriding a transitive dependency at the Nexus level. You'll have to use a different version of hadoop-hdfs, or compile it yourself with a "safe" log4j version.
Ben Watson
- 5,357
- 4
- 42
- 65
1
I did manage to solve the similar issue for hbase-shaded-client jar where I had to exclude log4j 1.2.17 dependency.
For that, I did this.
<dependency>
<groupId>org.apache.hbase</groupId>
<artifactId>hbase-client</artifactId>
<version>...</version>
<exclusions>
<exclusion>
<artifactId>log4j</artifactId>
<groupId>log4j</groupId>
</exclusion>
</exclusions>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>log4j-over-slf4j</artifactId>
<version>1.7.25</version>
It worked.
Yadav
- 129
- 1
- 11