Getting rid of log4j1 in the war file #8377
Conversation
… longer include log4j-1.* in the war file. (IQSS/dataverse-security#48; also #8372)
|
(part of the reason for making this a draft PR, I wanted to see the automated tests run on it) |
There was a problem hiding this comment.
I left a few comments... 😄
Another question, @landreev: should we make sure no future (accidential) usages of Log4J slip through via
<module name="IllegalImport">
- <property name="illegalPkgs" value="org.apache.commons.lang"/>
+ <property name="illegalPkgs" value="org.apache.commons.lang, org.apache.log4j"/>
</module>in checkstyle.xml? Our good doggo @reviewdog would bark at those (newly added lines).
|
@poikilotherm One random question for you; since it looks like you've been looking into all this in parallel: Have you by any chance figured out why we are downloading the version 1.5.6 of slf4j-parent, slf4j-api, etc. during the build (in addition to 1.7.35, specified as ${slf4j.version})? |
There was a problem hiding this comment.
At standup I volunteered to take a look and everything seems fine to me so I'm moving it to QA.
I didn't deploy the war file but I compared develop-984219b5be to ds48-l4j-upgrade-aae7bbb955 and found that the former has ./WEB-INF/lib/log4j-1.2.14.jar but the latter (this pull request) does not. Both have ./WEB-INF/classes/log4j.properties but this is just a config file.
@poikilotherm I see you had various comments but they seem to be are flagged as "outdated" now that @landreev has addressed them.
It's not a bad idea to add something to checkstyle but I'm ok waiting so as not to hold up this pull request.
|
@pdurbin - thanks for approving! The part about adding an explicit "Illegal Import" rule for log4j - I agree that it's a good idea; but we can't do it just yet. Maybe after we overhaul that XOAI library dependency, via #IQSS/dataverse/8372. |
I tried to reproduce this on It's likely that some other dependency uses an older version, so it gets downloaded, but as we use |
Interesting. I'm clearly seeing it on this branch... then run maven build and see it downloaded again: I was assuming it was maven itself that needed this for some internal purposes. (trying to remember if I saw this on develop too). Not 100% sure what to make out of the fact that you appear to be getting a different different version ... |
(#IQSS/dataverse-security/48)
landreev
dismissed
poikilotherm’s stale review
For some reason it's still showing this as "change requested", even though I ended up adding that IllegalImport rule to checstyle.xml
What this PR does / why we need it:
Self-explanatory - this PR gets rid of the log4j-1.2.14 jar we've been shipping as part of the war file.
Which issue(s) this PR closes:
Closes IQSS/dataverse-security#48
Special notes for your reviewer:
The surprising part here is that it really looks like none of our 3rd party dependencies are actually using log4j; with the single exception of XOAI - the unsupported dependency that we built ourselves. It's long overdue for an overhaul; this will be handled as a separate issue.
Suggestions on how to test this:
The main (and easily verifiable) goal is for the .war file to no longer contain log4j-1.2.14.jar. Jenkins/restassured tests still passing should ensure that nothing has been broken in the process.
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
Is there a release notes update needed for this change?:
Additional documentation: