DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

SLF4J 2.0.0 requires logback 1.3.0

Open mcondellva opened this issue 3 years ago • 4 comments
trafficstars

Describe the bug SLF4J 2.0.0 requires logback 1.3.0+

Running 7.2.0 version of ODC gives the following warnings:

WARNING: SLF4J: No SLF4J providers were found.
WARNING: SLF4J: Defaulting to no-operation (NOP) logger implementation
WARNING: SLF4J: See http://www.slf4j.org/codes.html#noProviders for further details.
WARNING: SLF4J: Class path contains SLF4J bindings targeting slf4j-api versions prior to 1.8.
WARNING: SLF4J: Ignoring binding found at [jar:file:/D:/Program%20Files/dependency-check/lib/logback-classic-1.2.11.jar!/org/slf4j/impl/StaticLoggerBinder.class]
WARNING: SLF4J: See http://www.slf4j.org/codes.html#ignoredBindings for an explanation.

And then fails to provide normal logged data besides the warnings above.

Version of dependency-check used The problem occurs using version 7.2.0 of the cli

Log file Warning output provided above.

To Reproduce dependency-check.bat" --format JSON --prettyPrint --enableExperimental --out C:****\dc-output-20220914093309.json" --yarn "D:\Program Files\Yarn\bin\yarn.cmd" --scan ****

Expected behavior A clear and concise description of what you expected to happen.

Additional context I downloaded logback-core-1.3.0.jar and logback-classic-1.3.0.jar and replaced the 1.2.11 versions with the updated versions and logging worked as it did in previous versions of ODC.

mcondellva avatar Sep 14 '22 13:09 mcondellva

see #4786

mprins avatar Sep 14 '22 14:09 mprins

With your new setup I expect you would run into an error when you would try to create a debug logfile (when you use the -l / --log argument) just like the build of #4786

aikebah avatar Sep 14 '22 14:09 aikebah

Quite possibly, I haven't tried it, but could test it if another data point is useful. However, we have internal team tools that depend on the output to stdout/stderr that was no longer being produced with the older version of logback. Upgrading fixed that output for us.

I had missed the other issue and just wanted to make sure it was on the radar. It is easy enough for us to work around.

mcondellva avatar Sep 14 '22 14:09 mcondellva

@jeremylong what do you think? Maybe best to revert the slf4j update to 2.0.0 and release 7.2.1? I have not verified, but as there are direct references in its codebase to slf4j 1.x StaticLoggerBinder I suspect that the ant task will also suffer from logging issues due to the slf4j version bump.

aikebah avatar Sep 14 '22 16:09 aikebah

We have the same problem here...@mcondellva can you please post the steps of your workaround? Thanks!

maxbeltr avatar Sep 16 '22 20:09 maxbeltr

@maxbeltr That would be

  1. download the latest 1.3.x of logback-core (1.3.1 by now) https://repo1.maven.org/maven2/ch/qos/logback/logback-core/1.3.1/logback-core-1.3.1.jar and logback-classic https://repo1.maven.org/maven2/ch/qos/logback/logback-classic/1.3.1/logback-classic-1.3.1.jar

  2. copy both jars to the lib folder of your extracted dependency-check CLI

  3. Remove logback-classic-1.2.11.jar and logback-core-1.2.11.jar from the lib folder of your extracted dependency-check CLI

aikebah avatar Sep 16 '22 20:09 aikebah

Thanks a lot!

maxbeltr avatar Sep 16 '22 21:09 maxbeltr