What is Xray
Identifies Open Source vulnerabilities when downloading the dependency from the cloud through Artifactory or when downloading an application from Artifactory which utilizes the vulnerable dependency.
Recently, Xray scans started giving violations for my project, which stopped me from downloading build files from repository. We were facing problems related to Log4J:
Included in log4j 1.2 is a socketserver class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. this affects log4j versions up to 1.2 up to 1.2.17.
Due to above error, we were not able to download build jar file from repository -
{
"errors" : [ {
"status" : 403,
"message" : "Artifact download request rejected: com/myfile/myjarfile was not downloaded due to the download blocking policy configured in Xray for libs-snapshot-local."
} ]
}
After lots of analysis, we found that there are no dependencies for Log4J mentioned in our Maven POM. But, we still were getting this error. Later, we found that it because of one of shaded dependent Jar.
So, the simple solution that we applied was to exclude all log4J classes or properties or xml's from my final output Jar file.
To exclude certain items from shaded Jar, you can update Maven Pom.xml as below :-
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.1.0</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
</execution>
</executions>
<configuration>
<filters>
<filter>
<artifact>*:*</artifact>
<excludes>
<exclude>org/apache/log4j/**/*</exclude>
<exclude>META-INF/maven/log4j/**/*</exclude>
</excludes>
</filter>
</filters>
</configuration>
</plugin>
Comments
Post a Comment