Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

migrate logging to SLF4J 2.0.x and Logback 1.4.x #1832

Merged
merged 9 commits into from
Jan 23, 2024
Merged

migrate logging to SLF4J 2.0.x and Logback 1.4.x #1832

merged 9 commits into from
Jan 23, 2024

Conversation

thjaeckle
Copy link
Member

@thjaeckle thjaeckle commented Nov 30, 2023
edited
Loading

Fixes "High" CVE reported in Logstash 1.2:
GHSA-vmq6-5m68-f53m

@thjaeckle
migrate logging to SLF4J 2.0.x and Logback 1.3.x
268c979 
Signed-off-by: Thomas Jäckle <thomas.jaeckle@beyonnex.io>
@thjaeckle thjaeckle added this to the 3.5.0 milestone Nov 30, 2023
@thjaeckle thjaeckle self-assigned this Nov 30, 2023
@thjaeckle
fixed unit tests relying on old SLF4J "Binder" mechanism
c3b5420 
Signed-off-by: Thomas Jäckle <thomas.jaeckle@beyonnex.io>
@thjaeckle thjaeckle force-pushed the migrate-to-slf4j2-logback13 branch from 36c65db to c3b5420 Compare November 30, 2023 12:01
@thjaeckle thjaeckle changed the title migrate logging to SLF4J 2.0.x and Logback 1.3.x migrate logging to SLF4J 2.0.x and Logback 1.4.x Nov 30, 2023
@thjaeckle
Copy link
Member Author

thjaeckle commented Nov 30, 2023
edited
Loading

@alstanchev @kalinkostashki this would be ready to be reviewed
There is a new CVE for logback version 1.2, which Ditto still uses.

I had also to update to SLF4J 2.x - which seems to work just fine (after some adjustments in the logback.xml regarding conditions ..

@thjaeckle
updated other logging related dependency versions
05529aa 
Signed-off-by: Thomas Jäckle <thomas.jaeckle@beyonnex.io>
@thjaeckle thjaeckle force-pushed the migrate-to-slf4j2-logback13 branch from 4836032 to 05529aa Compare November 30, 2023 20:11
@thjaeckle
Merge branch 'master' into migrate-to-slf4j2-logback13
3b3562d
@thjaeckle
fix license header
1cdd419 
Signed-off-by: Thomas Jäckle <thomas.jaeckle@beyonnex.io>
@thjaeckle
added missing logstash-logback-encoder.version property
859f199 
Signed-off-by: Thomas Jäckle <thomas.jaeckle@beyonnex.io>
@thjaeckle
fixed logging testing
7c3981b 
Signed-off-by: Thomas Jäckle <thomas.jaeckle@beyonnex.io>
@thjaeckle
Copy link
Member Author

@alstanchev could you please have a look?
The security issue was also backported to logback 1.2 (and the fix is already included in the latest 3.4.x bugfix release of Ditto), I however think that we should migrate to slf4j 2 and logback 1.4 eventually - and why not with Ditto 3.5? :)

@thjaeckle
bumped slf4j and logback versions to latest patch releases
3c31341 
Signed-off-by: Thomas Jäckle <thomas.jaeckle@beyonnex.io>
@thjaeckle thjaeckle merged commit 8d46fcd into master Jan 23, 2024
3 checks passed
@thjaeckle thjaeckle deleted the migrate-to-slf4j2-logback13 branch January 23, 2024 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@thjaeckle thjaeckle

Labels
None yet
Projects
Ditto Planning
Status: Done
Milestone
3.5.0
Development

Successfully merging this pull request may close these issues.
1 participant
@thjaeckle