VirtualSatellite4-Core icon indicating copy to clipboard operation
VirtualSatellite4-Core copied to clipboard
verified publisher icon virtualsatellite

Contains log 4j 1.x

Open maurpa opened this issue 3 years ago • 8 comments

Upgrade log4 j version

Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later). (More infos https://logging.apache.org/log4j/2.x/security.html)

maurpa avatar Jan 17 '22 16:01 maurpa

Ok so I did some more research and it seems the log4j dependencies originate from Xtext (see https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228)) and log4j is actually used in our generated Classes ConceptActivator and CalcuationActivator. It also seems like the Xtext maintainers do not intend to upgrade their log4j dependency (see discussion in https://github.com/eclipse/xtext-core/issues/1363). So i actually don't know how to approach this, any ideas @maurpa ?

ghost avatar Jan 18 '22 10:01 ghost

After discussion in the developer meeting we decided that we want to investigate options to exclude the log4j dependency or update to a 2.x version.

For this we should look into the .mwe2 workflow if we can influence xtends logging via configuartion. Furthermore maybe the dependency can be excluded in the p2 workflow. Furthermore we should test if xtext works with the 2.x version.

If we don't find an applicable solution then we should communicate the EOL depency to our stakeholders via the documentation.

ghost avatar Jan 20 '22 10:01 ghost

Question if anyone has the log4j bridge working and if this would be a viable solution?

https://logging.apache.org/log4j/2.x/log4j-1.2-api/index.html

rpappenhagen avatar Jan 26 '22 16:01 rpappenhagen

We had already a look into this but the dependency is declared in the jar file of xtext. Then we would need to create a custome jar with the bridge.

maurpa avatar Jan 27 '22 07:01 maurpa

The theory was that you don't need a custom jar but rather at runtime replace the log4j 1,2 jar with the log4j bridge which tales 1.2 api calls and forwards them to 2.x

rpappenhagen avatar Jan 27 '22 13:01 rpappenhagen

I think this sounds good, we should try it.

So how would this work in detail? Do we add the maven dependency to the bridge and 2.x jars; then exclude the log4j 1.x jars and include the bridge as well as 2.x jars in the configuration of the tycho compiler (https://www.eclipse.org/tycho/sitedocs/tycho-compiler-plugin/compile-mojo.html)? And do we have to do that in the plugin poms or can we do that in the root pom once? Or is there a better point / way to do that in our build system?

Some additional resources I found:

  • https://logging.apache.org/log4j/2.x/manual/migration.html
  • https://logging.apache.org/log4j/2.x/log4j-1.2-api/dependency-info.html

ghost avatar Jan 28 '22 11:01 ghost

I tried it already, when we started to investigated to exclude it in the main pom and add the b. Without success using the second option described here https://logging.apache.org/log4j/2.x/manual/migration.htm. I tried it also in the plugin in pom of model concept and there it is working.

maurpa avatar Jan 31 '22 07:01 maurpa

Could you be specific as to what you did that made it work?

rpappenhagen avatar Jan 31 '22 20:01 rpappenhagen