From 4bb4fd75b60072feb9764e1702748e50944ea499 Mon Sep 17 00:00:00 2001
From: Dan Timoney <dtimoney@att.com>
Date: Mon, 3 Jan 2022 13:23:53 -0500
Subject: [PATCH] Upgrade to log4j2 2.17.1

Update to use version 2.17.1 to resolve log4shell vulnerability

Issue-ID: CCSDK-3556
Signed-off-by: Dan Timoney <dtimoney@att.com>
Change-Id: I5e9c6f211df52eb7db27b1479bb295d473c0dded
---
 opendaylight/silicon/silicon-alpine/pom.xml                  | 12 ++++++++++--
 .../silicon/silicon-alpine/src/main/docker/Dockerfile        |  1 +
 .../src/main/resources/framework-4.3.2-features.xml          |  8 ++++----
 .../silicon-alpine/src/main/resources/startup.properties     |  4 ++--
 pom.xml                                                      |  2 +-
 5 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/opendaylight/silicon/silicon-alpine/pom.xml b/opendaylight/silicon/silicon-alpine/pom.xml
index 029bc829..d8111fcf 100644
--- a/opendaylight/silicon/silicon-alpine/pom.xml
+++ b/opendaylight/silicon/silicon-alpine/pom.xml
@@ -23,7 +23,7 @@
         <odl.shiro.version>0.13.5</odl.shiro.version>
         <odl.ops4j.version>7.3.16</odl.ops4j.version>
         <odl.pax.logging.version>2.0.9</odl.pax.logging.version>
-        <patch.pax.logging.version>2.0.12</patch.pax.logging.version>
+        <patch.pax.logging.version>2.0.14</patch.pax.logging.version>
         <odl.karaf.framework.version>4.3.2</odl.karaf.framework.version>
         <odl.netconf.version>1.13.4</odl.netconf.version>
     </properties>
@@ -123,6 +123,14 @@
                                     <destFileName>pax-logging-log4j2-${patch.pax.logging.version}.jar</destFileName>
                                     <excludes>*</excludes>
                                 </artifactItem>
+                                <artifactItem>
+                                    <groupId>org.ops4j.pax.logging</groupId>
+                                    <artifactId>pax-logging-logback</artifactId>
+                                    <version>${patch.pax.logging.version}</version>
+                                    <outputDirectory>${project.build.directory}/docker-stage/system/org/ops4j/pax/logging/pax-logging-logback/${patch.pax.logging.version}</outputDirectory>
+                                    <destFileName>pax-logging-logback-${patch.pax.logging.version}.jar</destFileName>
+                                    <excludes>*</excludes>
+                                </artifactItem>
                                 <artifactItem>
                                     <groupId>org.ops4j.pax.logging</groupId>
                                     <artifactId>pax-logging-api</artifactId>
@@ -185,7 +193,7 @@
                                         <include>framework-${odl.karaf.framework.version}-features.xml</include>
                                         <include>startup.properties</include>
                                     </includes>
-                                    <filtering>false</filtering>
+                                    <filtering>true</filtering>
                                 </resource>
                             </resources>
                         </configuration>
diff --git a/opendaylight/silicon/silicon-alpine/src/main/docker/Dockerfile b/opendaylight/silicon/silicon-alpine/src/main/docker/Dockerfile
index b5b3c6da..19cd55f6 100644
--- a/opendaylight/silicon/silicon-alpine/src/main/docker/Dockerfile
+++ b/opendaylight/silicon/silicon-alpine/src/main/docker/Dockerfile
@@ -32,6 +32,7 @@ COPY system $ODL_HOME/system
 COPY framework-${odl.karaf.framework.version}-features.xml $ODL_HOME/system/org/apache/karaf/features/framework/${odl.karaf.framework.version}/framework-${odl.karaf.framework.version}-features.xml
 COPY startup.properties $ODL_HOME/etc/startup.properties
 RUN rm -rf $ODL_HOME/system/org/ops4j/pax/logging/pax-logging-log4j2/${odl.pax.logging.version}
+RUN rm -rf $ODL_HOME/system/org/ops4j/pax/logging/pax-logging-logback/${odl.pax.logging.version}
 RUN rm -rf $ODL_HOME/system/org/ops4j/pax/logging/pax-logging-api/${odl.pax.logging.version}
 
 # Changing ownership and permission of /opt
diff --git a/opendaylight/silicon/silicon-alpine/src/main/resources/framework-4.3.2-features.xml b/opendaylight/silicon/silicon-alpine/src/main/resources/framework-4.3.2-features.xml
index 1f283cb1..52bc1d40 100755
--- a/opendaylight/silicon/silicon-alpine/src/main/resources/framework-4.3.2-features.xml
+++ b/opendaylight/silicon/silicon-alpine/src/main/resources/framework-4.3.2-features.xml
@@ -27,8 +27,8 @@
         <!-- mvn: url handlers -->
         <bundle start-level="5">mvn:org.ops4j.pax.url/pax-url-aether/2.6.7</bundle>
         <!-- logging -->
-        <bundle start-level="8">mvn:org.ops4j.pax.logging/pax-logging-api/2.0.12</bundle>
-        <bundle start-level="8">mvn:org.ops4j.pax.logging/pax-logging-log4j2/2.0.12</bundle>
+        <bundle start-level="8">mvn:org.ops4j.pax.logging/pax-logging-api/${patch.pax.logging.version}</bundle>
+        <bundle start-level="8">mvn:org.ops4j.pax.logging/pax-logging-log4j2/${patch.pax.logging.version}</bundle>
         <bundle start-level="8">mvn:org.fusesource.jansi/jansi/1.18</bundle>
         <!-- config admin -->
         <bundle start-level="9">mvn:org.osgi/org.osgi.util.function/1.1.0</bundle>
@@ -53,8 +53,8 @@
         <!-- mvn: url handlers -->
         <bundle start-level="5">mvn:org.ops4j.pax.url/pax-url-aether/2.6.7</bundle>
         <!-- logging -->
-        <bundle start-level="8">mvn:org.ops4j.pax.logging/pax-logging-api/2.0.9</bundle>
-        <bundle start-level="8">mvn:org.ops4j.pax.logging/pax-logging-logback/2.0.9</bundle>
+        <bundle start-level="8">mvn:org.ops4j.pax.logging/pax-logging-api/${patch.pax.logging.version}</bundle>
+        <bundle start-level="8">mvn:org.ops4j.pax.logging/pax-logging-logback/${patch.pax.logging.version}</bundle>
         <!-- config admin -->
         <bundle start-level="9">mvn:org.osgi/org.osgi.util.function/1.1.0</bundle>
         <bundle start-level="9">mvn:org.osgi/org.osgi.util.promise/1.1.1</bundle>
diff --git a/opendaylight/silicon/silicon-alpine/src/main/resources/startup.properties b/opendaylight/silicon/silicon-alpine/src/main/resources/startup.properties
index 59ab975e..40baf708 100755
--- a/opendaylight/silicon/silicon-alpine/src/main/resources/startup.properties
+++ b/opendaylight/silicon/silicon-alpine/src/main/resources/startup.properties
@@ -1,8 +1,8 @@
 # Bundles to be started on startup, with startlevel
 mvn\:org.apache.karaf.features/org.apache.karaf.features.extension/4.3.2 = 1
 mvn\:org.ops4j.pax.url/pax-url-aether/2.6.7 = 5
-mvn\:org.ops4j.pax.logging/pax-logging-api/2.0.12 = 8
-mvn\:org.ops4j.pax.logging/pax-logging-log4j2/2.0.12 = 8
+mvn\:org.ops4j.pax.logging/pax-logging-api/${patch.pax.logging.version} = 8
+mvn\:org.ops4j.pax.logging/pax-logging-log4j2/${patch.pax.logging.version} = 8
 mvn\:org.fusesource.jansi/jansi/1.18 = 8
 mvn\:org.osgi/org.osgi.util.promise/1.1.1 = 9
 mvn\:org.apache.felix/org.apache.felix.coordinator/1.0.2 = 9
diff --git a/pom.xml b/pom.xml
index b1faf1df..2ac515cd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.onap.ccsdk.parent</groupId>
         <artifactId>oparent</artifactId>
-        <version>2.3.1</version>
+        <version>2.3.2</version>
     </parent>
 
     <groupId>org.onap.ccsdk.distribution</groupId>
-- 
2.16.6