CNDB-11076: bump SLF4J version to 2.0.9; bump logback version to 1.4.14 to get rid of security holes #1515
Conversation
jakubzytka
force-pushed
the
cndb-11076-update-slf4j-and-logback
branch
from
8ea5c96 to
6e13349
Compare
| new ObjectName("ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator"), | ||
| JMXConfiguratorMBean.class); | ||
| jmxConfiguratorMBean.reloadDefaultConfiguration(); | ||
| LoggerContext lc = (LoggerContext) LoggerFactory.getILoggerFactory(); |
There was a problem hiding this comment.
that's on basis of:
qos-ch/logback@fa3de69
we'll see how the CI is gonna look like
I'll do some manual test too.
There was a problem hiding this comment.
added a unit test that shows this works
There was a problem hiding this comment.
did the previous code register an MBean? does it do that now as well?
There was a problem hiding this comment.
Old logback had an mbean.
The new one doesn't have it.
We are no longer using it.
I don't think that mbeans registered by 3rd party libraries are part of the Cassandra interface
| @@ -20,7 +20,7 @@ | |||
| <define name="instance_id" class="org.apache.cassandra.distributed.impl.InstanceIDDefiner" /> | |||
|
|
|||
| <!-- Shutdown hook ensures that async appender flushes --> | |||
| <shutdownHook class="ch.qos.logback.core.hook.DelayingShutdownHook"/> | |||
| <shutdownHook class="ch.qos.logback.core.hook.DefaultShutdownHook"/> | |||
There was a problem hiding this comment.
renamed in logback in:
qos-ch/logback@4d705d9
| @@ -1814,9 +1815,16 @@ public void testEmptyListAndNullInitcond() throws Throwable | |||
| public void testLogbackReload() throws Throwable | |||
| { | |||
| // see https://issues.apache.org/jira/browse/CASSANDRA-11033 | |||
| Logger l = LoggerFactory.getLogger(AggregationTest.class); | |||
There was a problem hiding this comment.
the test didn't work previously due to ReconfigureOnChangeTask being used instead of filters.
I changed it to run the reconfigure task as intended. let's see what happens....
| @@ -18,7 +18,7 @@ | |||
| */ | |||
| package org.apache.cassandra.utils; | |||
|
|
|||
| import org.apache.log4j.Logger; | |||
| import org.slf4j.LoggerFactory; | |||
There was a problem hiding this comment.
I removed all log4j.
that's the only place that needed a change.
…14 to get rid of security holes
jakubzytka
force-pushed
the
cndb-11076-update-slf4j-and-logback
branch
from
6e13349 to
aad4041
Compare
| @@ -34,7 +34,7 @@ | |||
|
|
|||
| <appender name="INSTANCESTDERR" target="System.err" class="ch.qos.logback.core.ConsoleAppender"> | |||
| <encoder> | |||
| <pattern>%-5level %date{HH:mm:ss,SSS} %msg%n</pattern> | |||
| <pattern>%-5level %date{"HH:mm:ss,SSS"} %msg%n</pattern> | |||
There was a problem hiding this comment.
the original one is an invalid pattern, probably since logback 1.3
https://logback.qos.ch/manual/layouts.html#date
jakubzytka
force-pushed
the
cndb-11076-update-slf4j-and-logback
branch
from
e3f54a8 to
61995d1
Compare
|
❌ Build ds-cassandra-pr-gate/PR-1515 rejected by Butler1 new test failure(s) in 8 builds Found 1 new test failures
Found 43 known test failures |
…14 to get rid of security holes (#1515)
…14 to get rid of security holes (#1515)
…14 to get rid of security holes (#1515)
What is the issue
Old slf4j and logback are suffering from known security vulnerabilities.
What does this PR fix and why was it fixed
This change upgrades the dependencies to versions with fixed vulnerabilities.
Checklist before you submit for review
NoSpamLoggerfor log lines that may appear frequently in the logs