mvn install fails in environment that block log4j:2.15.0 & its dependencies from downloading due to security vulnerabilities

[tiru67]

mvn install fails in environment that block log4j:2.15.0 dependencies from downloading due to security vulnerabilities.

Q: What were you trying to accomplish?
A: I am trying to setup my local environment for contribution.

Expected Behavior

mvn install -DskipTests should succeed

Current Behavior

Build Failure
Powertools for AWS Lambda (Java) library Examples - Core FAILURE

Possible Solution

Upgrade

<groupId>com.github.edwgiz</groupId>
<artifactId>maven-shade-plugin.log4j2-cachefile-transformer</artifactId>
<version>2.15</version>

with

  <groupId>io.github.edwgiz</groupId>
 <artifactId>log4j-maven-shade-plugin-extensions</artifactId>
 <version>2.17.2</version>

in

examples/powertools-examples-batch/pom.xml
examples/powertools-examples-cloudformation/pom.xml
examples/powertools-examples-core/cdk/app/pom.xml
examples/powertools-examples-core/sam/pom.xml
examples/powertools-examples-idempotency/pom.xml
examples/powertools-examples-sqs/pom.xml

Steps to Reproduce (for bugs)

1. Setup a firewall that blocks maven-shade-plugin.log4j2-cachefile-transformer version 2.15 and its dependencies
2. mvn install -DskipTests

Environment

• Powertools for AWS Lambda (Java) version used: 1.17.0-SNAPSHOT
• Packaging format (Layers, Maven/Gradle): Maven
• AWS Lambda function runtime:
• Debugging logs

How to enable debug mode**

# paste logs here

[scottgerring]

Hey @tiru67, thanks for reporting. i'll check this out shortly.

[scottgerring]

Hey @tiru67 , this is a good catch, thanks. The log4j dep is pushed by a transient dep from the shade plugin. I have rolled the plugin forward in #1376; waiting for a review from one of the other maintainers. In the meantime, you should be able to pull from this branch and get started!

[tiru67]

Thanks @scottgerring!

[scottgerring]

The dependency is used during the build phase for shading, and from what I can see shouldn't result in a build of the examples including an impacted version of log4j only.

[scottgerring]

This is merged to main