-
Notifications
You must be signed in to change notification settings - Fork 492
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting rid of log4j1 in the war file #8377
Conversation
… longer include log4j-1.* in the war file. (IQSS/dataverse-security#48; also #8372)
(part of the reason for making this a draft PR, I wanted to see the automated tests run on it) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left a few comments... 😄
Another question, @landreev: should we make sure no future (accidential) usages of Log4J slip through via
<module name="IllegalImport">
- <property name="illegalPkgs" value="org.apache.commons.lang"/>
+ <property name="illegalPkgs" value="org.apache.commons.lang, org.apache.log4j"/>
</module>
in checkstyle.xml
? Our good doggo @reviewdog would bark at those (newly added lines).
@poikilotherm One random question for you; since it looks like you've been looking into all this in parallel: Have you by any chance figured out why we are downloading the version 1.5.6 of slf4j-parent, slf4j-api, etc. during the build (in addition to 1.7.35, specified as ${slf4j.version})? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At standup I volunteered to take a look and everything seems fine to me so I'm moving it to QA.
I didn't deploy the war file but I compared develop-984219b5be
to ds48-l4j-upgrade-aae7bbb955
and found that the former has ./WEB-INF/lib/log4j-1.2.14.jar
but the latter (this pull request) does not. Both have ./WEB-INF/classes/log4j.properties
but this is just a config file.
@poikilotherm I see you had various comments but they seem to be are flagged as "outdated" now that @landreev has addressed them.
It's not a bad idea to add something to checkstyle but I'm ok waiting so as not to hold up this pull request.
@pdurbin - thanks for approving! The part about adding an explicit "Illegal Import" rule for log4j - I agree that it's a good idea; but we can't do it just yet. Maybe after we overhaul that XOAI library dependency, via #IQSS/dataverse/8372. |
I tried to reproduce this on It's likely that some other dependency uses an older version, so it gets downloaded, but as we use |
Interesting. I'm clearly seeing it on this branch...
then run maven build and see it downloaded again:
I was assuming it was maven itself that needed this for some internal purposes. (trying to remember if I saw this on develop too). Not 100% sure what to make out of the fact that you appear to be getting a different different version ... |
(#IQSS/dataverse-security/48)
For some reason it's still showing this as "change requested", even though I ended up adding that IllegalImport rule to checstyle.xml
What this PR does / why we need it:
Self-explanatory - this PR gets rid of the log4j-1.2.14 jar we've been shipping as part of the war file.
Which issue(s) this PR closes:
Closes IQSS/dataverse-security#48
Special notes for your reviewer:
The surprising part here is that it really looks like none of our 3rd party dependencies are actually using log4j; with the single exception of XOAI - the unsupported dependency that we built ourselves. It's long overdue for an overhaul; this will be handled as a separate issue.
Suggestions on how to test this:
The main (and easily verifiable) goal is for the .war file to no longer contain log4j-1.2.14.jar. Jenkins/restassured tests still passing should ensure that nothing has been broken in the process.
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
Is there a release notes update needed for this change?:
Additional documentation: