codyze icon indicating copy to clipboard operation
codyze copied to clipboard

Published 20 hours ago verified publisher icon Fraunhofer-AISEC

Dependency issue with slf4j

Open fwendland opened this issue 3 years ago • 4 comments

Recently, I've seen the following exception pertaining to slf4j

Sep 16, 2021 9:33:06 AM org.junit.platform.launcher.core.EngineDiscoveryOrchestrator lambda$logTestDescriptorExclusionReasons$7
INFO: 0 containers and 7 tests were Method or class mismatch
Unexpected problem occured during version sanity check
Reported exception:
java.lang.AbstractMethodError: Receiver class org.apache.logging.slf4j.SLF4JServiceProvider does not define or inherit an implementation of the resolved method 'abstract java.lang.String getRequestedApiVersion()' of interface org.slf4j.spi.SLF4JServiceProvider.
	at org.slf4j.LoggerFactory.versionSanityCheck(LoggerFactory.java:297)
	at org.slf4j.LoggerFactory.performInitialization(LoggerFactory.java:141)
	at org.slf4j.LoggerFactory.getProvider(LoggerFactory.java:421)
	at org.slf4j.LoggerFactory.getILoggerFactory(LoggerFactory.java:407)
	at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:356)
	at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:382)
	at de.fraunhofer.aisec.codyze.analysis.AnalysisServer.<clinit>(AnalysisServer.java:58)
	at de.fraunhofer.aisec.codyze.crymlin.AbstractMarkTest.performTest(AbstractMarkTest.kt:84)
	at de.fraunhofer.aisec.codyze.crymlin.JCATest.testBCProviderCipher(JCATest.kt:10)
	// ...

Maybe we have a dependency issue?

fwendland avatar Sep 16 '21 07:09 fwendland

This is a problem related to the upgrade to slf4j 2.0 alpha. See https://issues.apache.org/jira/browse/LOG4J2-3139

It seems that log4j is not upgraded yet to the new 2.0 of slf4j. They also claim that it will take some time to do this and they want to wait until it is stable. I seem to recall that the older versions of slf4j had security issues that's why we upgraded to 2.0-alpha.

Not sure we can do anything at the moment except to somehow swallow this error message. Logging works fine even with it.

oxisto avatar Sep 17 '21 15:09 oxisto

Thinking about it, we could move from log4j to another provider, maybe Logback-classic or so, if they already implement the new 2.0 interface.

oxisto avatar Sep 17 '21 15:09 oxisto

Update 2: Looking at the dependency list of cpg, it seems that org.apache.logging.log4j » log4j-slf4j18-impl is part of the dependencies. That is not good. The cpg library should only include a dependency to the slf4j api and its users should be able to use an implementation of it.

oxisto avatar Sep 17 '21 15:09 oxisto

Yes, everything works fine. Let's just keep this one open until there is a fix.

Regarding log4j: I need to look into our dependencies as well. Maybe we need it for Xtext anyway.

fwendland avatar Sep 20 '21 07:09 fwendland