From b35c83fe45d194883b9bd054f532946d76e66944 Mon Sep 17 00:00:00 2001
From: HongW2019 <hong2.wang@intel.com>
Date: Fri, 17 Dec 2021 14:43:54 +0800
Subject: [PATCH 1/2] [ML-161] Excluding log4j 1.x dependency from Spark core
 to avoid log4j vulnerability

---
 examples/als/pom.xml               | 10 ++++++++++
 examples/correlation/pom.xml       | 10 ++++++++++
 examples/kmeans/pom.xml            | 10 ++++++++++
 examples/linear-regression/pom.xml | 10 ++++++++++
 examples/naive-bayes/pom.xml       | 10 ++++++++++
 examples/pca/pom.xml               | 10 ++++++++++
 examples/summarizer/pom.xml        | 10 ++++++++++
 mllib-dal/pom.xml                  | 10 ++++++++++
 8 files changed, 80 insertions(+)

diff --git a/examples/als/pom.xml b/examples/als/pom.xml
index 1fac8782f..75dc6dad1 100644
--- a/examples/als/pom.xml
+++ b/examples/als/pom.xml
@@ -37,6 +37,16 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-log4j12</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/examples/correlation/pom.xml b/examples/correlation/pom.xml
index 9d83e32b5..dfcfbf91e 100644
--- a/examples/correlation/pom.xml
+++ b/examples/correlation/pom.xml
@@ -37,6 +37,16 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-log4j12</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/examples/kmeans/pom.xml b/examples/kmeans/pom.xml
index 94666cb65..9ed09ff4b 100644
--- a/examples/kmeans/pom.xml
+++ b/examples/kmeans/pom.xml
@@ -37,6 +37,16 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-log4j12</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/examples/linear-regression/pom.xml b/examples/linear-regression/pom.xml
index 613373507..3ba9b385a 100644
--- a/examples/linear-regression/pom.xml
+++ b/examples/linear-regression/pom.xml
@@ -37,6 +37,16 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-log4j12</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/examples/naive-bayes/pom.xml b/examples/naive-bayes/pom.xml
index 305e6dcad..9b1423d77 100644
--- a/examples/naive-bayes/pom.xml
+++ b/examples/naive-bayes/pom.xml
@@ -37,6 +37,16 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-log4j12</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/examples/pca/pom.xml b/examples/pca/pom.xml
index 0e549170c..f25432454 100644
--- a/examples/pca/pom.xml
+++ b/examples/pca/pom.xml
@@ -37,6 +37,16 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-log4j12</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/examples/summarizer/pom.xml b/examples/summarizer/pom.xml
index 885f2da0f..777bf929b 100644
--- a/examples/summarizer/pom.xml
+++ b/examples/summarizer/pom.xml
@@ -37,6 +37,16 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <!--<scope>provided</scope>-->
+      <exclusions>
+        <exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-log4j12</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>log4j</groupId>
+          <artifactId>log4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/mllib-dal/pom.xml b/mllib-dal/pom.xml
index eb07716f4..336ef2504 100644
--- a/mllib-dal/pom.xml
+++ b/mllib-dal/pom.xml
@@ -69,6 +69,16 @@
             <artifactId>spark-core_2.12</artifactId>
             <version>${spark.version}</version>
             <scope>provided</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-log4j12</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>log4j</groupId>
+                    <artifactId>log4j</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.spark</groupId>

From ffe70e2f68013e7e78de8f43a0f4310c17eba1e7 Mon Sep 17 00:00:00 2001
From: HongW2019 <hong2.wang@intel.com>
Date: Mon, 20 Dec 2021 16:35:55 +0800
Subject: [PATCH 2/2] Add comments about security concerns

---
 examples/als/pom.xml               | 1 +
 examples/correlation/pom.xml       | 1 +
 examples/kmeans/pom.xml            | 1 +
 examples/linear-regression/pom.xml | 1 +
 examples/naive-bayes/pom.xml       | 1 +
 examples/pca/pom.xml               | 1 +
 examples/summarizer/pom.xml        | 1 +
 mllib-dal/pom.xml                  | 1 +
 8 files changed, 8 insertions(+)

diff --git a/examples/als/pom.xml b/examples/als/pom.xml
index 75dc6dad1..39d207a95 100644
--- a/examples/als/pom.xml
+++ b/examples/als/pom.xml
@@ -37,6 +37,7 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <scope>provided</scope>
+      <!--This is needed to exclude log4j1.x from Spark core dependency to avoid vulnerabilities -->
       <exclusions>
         <exclusion>
           <groupId>org.slf4j</groupId>
diff --git a/examples/correlation/pom.xml b/examples/correlation/pom.xml
index dfcfbf91e..a8af7cddc 100644
--- a/examples/correlation/pom.xml
+++ b/examples/correlation/pom.xml
@@ -37,6 +37,7 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <scope>provided</scope>
+      <!--This is needed to exclude log4j1.x from Spark core dependency to avoid vulnerabilities -->
       <exclusions>
         <exclusion>
           <groupId>org.slf4j</groupId>
diff --git a/examples/kmeans/pom.xml b/examples/kmeans/pom.xml
index 9ed09ff4b..e4437c51a 100644
--- a/examples/kmeans/pom.xml
+++ b/examples/kmeans/pom.xml
@@ -37,6 +37,7 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <scope>provided</scope>
+      <!--This is needed to exclude log4j1.x from Spark core dependency to avoid vulnerabilities -->
       <exclusions>
         <exclusion>
           <groupId>org.slf4j</groupId>
diff --git a/examples/linear-regression/pom.xml b/examples/linear-regression/pom.xml
index 3ba9b385a..641562d85 100644
--- a/examples/linear-regression/pom.xml
+++ b/examples/linear-regression/pom.xml
@@ -37,6 +37,7 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <scope>provided</scope>
+      <!--This is needed to exclude log4j1.x from Spark core dependency to avoid vulnerabilities -->
       <exclusions>
         <exclusion>
           <groupId>org.slf4j</groupId>
diff --git a/examples/naive-bayes/pom.xml b/examples/naive-bayes/pom.xml
index 9b1423d77..bb920cdeb 100644
--- a/examples/naive-bayes/pom.xml
+++ b/examples/naive-bayes/pom.xml
@@ -37,6 +37,7 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <scope>provided</scope>
+      <!--This is needed to exclude log4j1.x from Spark core dependency to avoid vulnerabilities -->
       <exclusions>
         <exclusion>
           <groupId>org.slf4j</groupId>
diff --git a/examples/pca/pom.xml b/examples/pca/pom.xml
index f25432454..263a984a9 100644
--- a/examples/pca/pom.xml
+++ b/examples/pca/pom.xml
@@ -37,6 +37,7 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <scope>provided</scope>
+      <!--This is needed to exclude log4j1.x from Spark core dependency to avoid vulnerabilities -->
       <exclusions>
         <exclusion>
           <groupId>org.slf4j</groupId>
diff --git a/examples/summarizer/pom.xml b/examples/summarizer/pom.xml
index 777bf929b..bc6d70ae3 100644
--- a/examples/summarizer/pom.xml
+++ b/examples/summarizer/pom.xml
@@ -37,6 +37,7 @@
       <artifactId>spark-sql_2.12</artifactId>
       <version>${spark.version}</version>
       <!--<scope>provided</scope>-->
+      <!--This is needed to exclude log4j1.x from Spark core dependency to avoid vulnerabilities -->
       <exclusions>
         <exclusion>
           <groupId>org.slf4j</groupId>
diff --git a/mllib-dal/pom.xml b/mllib-dal/pom.xml
index 336ef2504..4fde0c02a 100644
--- a/mllib-dal/pom.xml
+++ b/mllib-dal/pom.xml
@@ -69,6 +69,7 @@
             <artifactId>spark-core_2.12</artifactId>
             <version>${spark.version}</version>
             <scope>provided</scope>
+            <!--This is needed to exclude log4j1.x from Spark core dependency to avoid vulnerabilities -->
             <exclusions>
                 <exclusion>
                     <groupId>org.slf4j</groupId>