From d044e0479deb88c694973d0e0c51d8b7cbcfac06 Mon Sep 17 00:00:00 2001
From: PJ Fanning <pjfanning@users.noreply.github.com>
Date: Fri, 3 Jun 2022 12:21:40 +0100
Subject: [PATCH] issue-10356: upgrade logback to fix cve (#10357)

---
 dolphinscheduler-dist/release-docs/LICENSE | 4 ++--
 pom.xml                                    | 2 +-
 tools/dependencies/known-dependencies.txt  | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/dolphinscheduler-dist/release-docs/LICENSE b/dolphinscheduler-dist/release-docs/LICENSE
index 0002c8dee2..5f4ee43bc2 100644
--- a/dolphinscheduler-dist/release-docs/LICENSE
+++ b/dolphinscheduler-dist/release-docs/LICENSE
@@ -493,8 +493,8 @@ EPL licenses
 The following components are provided under the EPL License. See project link for details.
 The text of each license is also included at licenses/LICENSE-[project].txt.
     aspectjweaver 1.9.7:https://mvnrepository.com/artifact/org.aspectj/aspectjweaver/1.9.7, EPL 1.0
-    logback-classic 1.2.3: https://mvnrepository.com/artifact/ch.qos.logback/logback-classic/1.2.3, EPL 1.0 and LGPL 2.1
-    logback-core 1.2.3: https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.3, EPL 1.0 and LGPL 2.1
+    logback-classic 1.2.11: https://mvnrepository.com/artifact/ch.qos.logback/logback-classic/1.2.11, EPL 1.0 and LGPL 2.1
+    logback-core 1.2.11: https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.11, EPL 1.0 and LGPL 2.1
     h2-1.4.200 https://github.com/h2database/h2database/blob/master/LICENSE.txt, MPL 2.0 or EPL 1.0
 
 ========================================================================
diff --git a/pom.xml b/pom.xml
index 05a1722c8d..3628920b27 100644
--- a/pom.xml
+++ b/pom.xml
@@ -56,7 +56,7 @@
         <spring.version>5.3.12</spring.version>
         <spring.boot.version>2.5.6</spring.boot.version>
         <java.version>1.8</java.version>
-        <logback.version>1.2.3</logback.version>
+        <logback.version>1.2.11</logback.version>
         <hadoop.version>2.7.3</hadoop.version>
         <quartz.version>2.3.2</quartz.version>
         <jackson.version>2.10.5</jackson.version>
diff --git a/tools/dependencies/known-dependencies.txt b/tools/dependencies/known-dependencies.txt
index ce588528af..13e6aa50a5 100755
--- a/tools/dependencies/known-dependencies.txt
+++ b/tools/dependencies/known-dependencies.txt
@@ -133,8 +133,8 @@ libfb303-0.9.3.jar
 libthrift-0.9.3.jar
 log4j-1.2-api-2.14.1.jar
 log4j-1.2.17.jar
-logback-classic-1.2.3.jar
-logback-core-1.2.3.jar
+logback-classic-1.2.11.jar
+logback-core-1.2.11.jar
 lz4-1.3.0.jar
 mapstruct-1.2.0.Final.jar
 micrometer-core-1.7.5.jar