Log4j cleanup on Blazegraph and FITS (#332)

blazegraph/Dockerfile

@@ -6,6 +6,11 @@ ARG BLAZEGRAPH_VERSION="CANDIDATE_2_1_5"
 ARG BLAZEGRAPH_FILE="blazegraph.war"
 ARG BLAZEGRAPH_URL="https://github.com/blazegraph/database/releases/download/BLAZEGRAPH_RELEASE_${BLAZEGRAPH_VERSION}/${BLAZEGRAPH_FILE}"
 ARG BLAZEGRAPH_SHA256="b22f1a1aa8e536443db9a57da63720813374ef59e4021cfa9ad0e98f9a420e85"
+ARG LOG4J_VERSION="2.22.0"
+ARG LOG4J_FILE="apache-log4j-${LOG4J_VERSION}-bin.zip"
+ARG LOG4J_URL="https://archive.apache.org/dist/logging/log4j/${LOG4J_VERSION}/${LOG4J_FILE}"
+ARG LOG4J_FILE_SHA256="c6d61ecf2563b1200e02587b89b7c75b58b6e62e6a16cdb6f333c2482167c2dc"
+ARG OLD_LOG4J_VERSION="2.17"
 
 # Platform agnostic does not require arch specific identifier.
 RUN --mount=type=cache,id=blazegraph-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \
@@ -14,6 +19,21 @@ RUN --mount=type=cache,id=blazegraph-downloads-${TARGETARCH},sharing=locked,targ
         --sha256 "${BLAZEGRAPH_SHA256}" \
         --dest "/opt/tomcat/webapps/bigdata" \
     && \
+    ## Remove the outmoded log4j-* files that come with blazegraph
+    rm -f "/opt/tomcat/webapps/bigdata/WEB-INF/lib/log4j-1.2.17.jar" && \
+    cleanup.sh
+
+# Now drop in newer log4j-* files
+RUN --mount=type=cache,id=log4j-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \
+    download.sh \
+        --url "${LOG4J_URL}" \
+        --sha256 "${LOG4J_FILE_SHA256}" \
+    && \
+    ## Add new log4j-* files
+    unzip -o "${DOWNLOAD_CACHE_DIRECTORY}/${LOG4J_FILE}" -d "${DOWNLOAD_CACHE_DIRECTORY}" && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-1.2-api-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/bigdata/WEB-INF/lib/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-api-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/bigdata/WEB-INF/lib/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-core-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/bigdata/WEB-INF/lib/ && \
     cleanup.sh
 
 COPY --link rootfs /

fits/Dockerfile

@@ -12,6 +12,12 @@ ARG FITS_FILE="fits-${FITS_VERSION}.zip"
 ARG FITS_URL="https://github.com/harvard-lts/fits/releases/download/${FITS_VERSION}/${FITS_FILE}"
 ARG FITS_SHA256="32e436effe7251c5b067ec3f02321d5baf4944b3f0d1010fb8ec42039d9e3b73"
 
+ARG LOG4J_VERSION="2.22.0"
+ARG LOG4J_FILE="apache-log4j-${LOG4J_VERSION}-bin.zip"
+ARG LOG4J_URL="https://archive.apache.org/dist/logging/log4j/${LOG4J_VERSION}/${LOG4J_FILE}"
+ARG LOG4J_FILE_SHA256="c6d61ecf2563b1200e02587b89b7c75b58b6e62e6a16cdb6f333c2482167c2dc"
+ARG OLD_LOG4J_VERSION="2.17.1"
+
 # Platform agnostic does not require arch specific identifier.
 RUN --mount=type=cache,id=fits-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \
     download.sh \
@@ -46,6 +52,24 @@ RUN --mount=type=cache,id=fits-apk-${TARGETARCH},sharing=locked,target=/var/cach
     && \
     cleanup.sh
 
+# Remove old files & then install latest log4j-* files
+RUN --mount=type=cache,id=log4j-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \
+    download.sh \
+        --url "${LOG4J_URL}" \
+        --sha256 "${LOG4J_FILE_SHA256}" \
+    && \
+    ## Remove the outmoded log4j-* files that come with fits
+    rm -f /opt/fits/lib/droid/log4j-1.2.13.jar && \
+    rm -f "/opt/tomcat/webapps/fits/WEB-INF/lib/log4j-api-${OLD_LOG4J_VERSION}.jar" && \
+    rm -f "/opt/tomcat/webapps/fits/WEB-INF/lib/log4j-core-${OLD_LOG4J_VERSION}.jar" && \
+    ## Add new log4j-* files
+    unzip -o "${DOWNLOAD_CACHE_DIRECTORY}/${LOG4J_FILE}" -d "${DOWNLOAD_CACHE_DIRECTORY}" && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-1.2-api-${LOG4J_VERSION}.jar" /opt/fits/lib/droid/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-1.2-api-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/fits/WEB-INF/lib/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-api-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/fits/WEB-INF/lib/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-core-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/fits/WEB-INF/lib/ && \
+    cleanup.sh
+
 ENV \
     FITS_MAX_IN_MEMORY_FILE_SIZE=4 \
     FITS_MAX_OBJECTS_IN_POOL=5 \