Check security bugs reported in other modules

Author: ppkarwasz

log4j-flume-ng/src/main/java/org/apache/logging/log4j/flume/appender/FlumePersistentManager.java

@@ -47,6 +47,7 @@
 import com.sleepycat.je.OperationStatus;
 import com.sleepycat.je.StatsConfig;
 import com.sleepycat.je.Transaction;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.flume.Event;
 import org.apache.flume.event.SimpleEvent;
 import org.apache.logging.log4j.LoggingException;
@@ -172,6 +173,10 @@ public static FlumePersistentManager getManager(final String name, final Agent[]
     }
 
     @Override
+    @SuppressFBWarnings(
+            value = {"CIPHER_INTEGRITY", "ECB_MODE"},
+            justification = "Work-in-progress: https://github.com/apache/logging-log4j2/issues/1947"
+    )
     public void send(final Event event)  {
         if (worker.isShutdown()) {
             throw new LoggingException("Unable to record event");
@@ -381,6 +386,10 @@ private static class BDBManagerFactory implements ManagerFactory<FlumePersistent
          * @return The FlumeKratiManager.
          */
         @Override
+        @SuppressFBWarnings(
+                value = "PATH_TRAVERSAL_IN",
+                justification = "The name of the directory is provided in a configuration file."
+        )
         public FlumePersistentManager createManager(final String name, final FactoryData data) {
             SecretKey secretKey = null;
             Database database = null;
@@ -786,6 +795,10 @@ private boolean sendBatch(DatabaseEntry key, final DatabaseEntry data) throws Ex
             return errors;
         }
 
+        @SuppressFBWarnings(
+                value = {"CIPHER_INTEGRITY", "ECB_MODE"},
+                justification = "Work-in-progress: https://github.com/apache/logging-log4j2/issues/1947"
+        )
         private SimpleEvent createEvent(final DatabaseEntry data) {
             final SimpleEvent event = new SimpleEvent();
             try {

log4j-flume-ng/src/main/java/org/apache/logging/log4j/flume/appender/package-info.java

@@ -19,7 +19,7 @@
  */
 @Export
 @Open("org.apache.logging.log4j.core")
-@Version("2.20.1")
+@Version("2.20.2")
 package org.apache.logging.log4j.flume.appender;
 
 import aQute.bnd.annotation.jpms.Open;

log4j-jul/src/main/java/org/apache/logging/log4j/jul/Log4jBridgeHandler.java

@@ -25,6 +25,7 @@
 import java.util.Set;
 import java.util.logging.LogRecord;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.logging.log4j.core.LoggerContext;
 import org.apache.logging.log4j.core.config.Configuration;
 import org.apache.logging.log4j.core.config.LoggerConfig;
@@ -134,7 +135,11 @@ public Log4jBridgeHandler(boolean debugOutput, String suffixToAppend, boolean pr
 
 
     /** Perform init. of this handler with given configuration (typical use is for constructor). */
-       protected void init(boolean debugOutput, String suffixToAppend, boolean propagateLevels) {
+    @SuppressFBWarnings(
+            value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE",
+            justification = "The data is available only in debug mode."
+    )
+    protected void init(boolean debugOutput, String suffixToAppend, boolean propagateLevels) {
            this.doDebugOutput = debugOutput;
         if (debugOutput) {
             new Exception("DIAGNOSTIC ONLY (sysout):  Log4jBridgeHandler instance created (" + this + ")")

log4j-jul/src/main/java/org/apache/logging/log4j/jul/package-info.java

@@ -15,7 +15,7 @@
  * limitations under the license.
  */
 @Export
-@Version("2.20.1")
+@Version("2.20.2")
 package org.apache.logging.log4j.jul;
 
 import org.osgi.annotation.bundle.Export;

log4j-layout-template-json/src/main/java/org/apache/logging/log4j/layout/template/json/util/Uris.java

@@ -30,6 +30,7 @@
 import java.util.List;
 import java.util.Objects;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.status.StatusLogger;
 import org.apache.logging.log4j.util.LoaderUtil;
@@ -93,6 +94,10 @@ private static String unsafeReadUri(
         }
     }
 
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The uri parameter comes from aconfiguration file."
+    )
     private static String readFileUri(
             final URI uri,
             final Charset charset)
@@ -103,6 +108,10 @@ private static String readFileUri(
         }
     }
 
+    @SuppressFBWarnings(
+            value = "URLCONNECTION_SSRF_FD",
+            justification = "The uri parameter comes fro a configuration file."
+    )
     private static String readClassPathUri(
             final URI uri,
             final Charset charset)

log4j-perf-test/pom.xml

@@ -30,6 +30,9 @@
   <description>The Apache Log4j development-time performance tests</description>
 
   <properties>
+    <!-- Ignore less important (high rank) bugs for test artifacts -->
+    <spotbugs.maxRank>9</spotbugs.maxRank>
+
     <uberjar.name>benchmarks</uberjar.name>
     <bnd.baseline.skip>true</bnd.baseline.skip>
     <maven.test.skip>true</maven.test.skip>