search

cloudant-labs / clouseau

Expose Lucene features as an erlang-like node
Apache License 2.0
58 stars 32 forks source link

Remove hard dependency on log4j #46

Closed rnewson closed 2 years ago

rnewson commented 2 years ago

Leave this to the system administrator.

iilyak commented 2 years ago

The test suite is failing.

on master

Results :

Tests run: 97, Failures: 0, Errors: 0, Skipped: 0

on PR

org.specs2.execute.Error$ThrowableException: NoClassDefFoundError: Could not initialize class org.jboss.netty.util.HashedWheelTimer
    at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:59)
    at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:120)
    at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:103)
    at org.apache.maven.surefire.Surefire.run(Surefire.java:169)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:350)
    at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:1021)
Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.jboss.netty.util.HashedWheelTimer
    at scalang.ErlangNode.<init>(Node.scala:185)
    at scalang.Node$.apply(Node.scala:52)
    at com.cloudant.clouseau.RunningNode$class.$init$(RunningNode.scala:22)
    at com.cloudant.clouseau.IndexCleanupServiceSpec$$anonfun$3$$anonfun$apply$1$$anon$1.<init>(IndexCleanupServiceSpec.scala:25)
    at com.cloudant.clouseau.IndexCleanupServiceSpec$$anonfun$3$$anonfun$apply$1.apply(IndexCleanupServiceSpec.scala:25)
    at com.cloudant.clouseau.IndexCleanupServiceSpec$$anonfun$3$$anonfun$apply$1.apply(IndexCleanupServiceSpec.scala:25)

Could be related to my setup. However it doesn't explain why it works on master.

iilyak commented 2 years ago

more relevant stack trace

Running com.cloudant.clouseau.AnalyzerServiceSpec
Tests run: 0, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.033 sec
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
Tests run: 3, Failures: 0, Errors: 3, Skipped: 0, Time elapsed: 0.326 sec <<< FAILURE!
an analyzer should::demonstrate standard tokenization(com.cloudant.clouseau.AnalyzerServiceSpec)  Time elapsed: 0.096 sec  <<< ERROR!
org.specs2.execute.Error$ThrowableException: NoClassDefFoundError: Could not initialize class com.cloudant.clouseau.SupportedAnalyzers$
Caused by: java.lang.NoClassDefFoundError: Could not initialize class com.cloudant.clouseau.SupportedAnalyzers$
    at com.cloudant.clouseau.AnalyzerService.handleCall(AnalyzerService.scala:29)
    at com.cloudant.clouseau.AnalyzerServiceSpec$$anonfun$1$$anonfun$apply$1$$anon$1$$anonfun$2.apply(AnalyzerServiceSpec.scala:23)
    at com.cloudant.clouseau.AnalyzerServiceSpec$$anonfun$1$$anonfun$apply$1$$anon$1.<init>(AnalyzerServiceSpec.scala:23)
    at com.cloudant.clouseau.AnalyzerServiceSpec$$anonfun$1$$anonfun$apply$1.apply(AnalyzerServiceSpec.scala:22)
    at com.cloudant.clouseau.AnalyzerServiceSpec$$anonfun$1$$anonfun$apply$1.apply(AnalyzerServiceSpec.scala:22)
rnewson commented 2 years ago

(the test failures from Ilya are from before I added slf4j-simple as a test scoped dependency).

rnewson commented 2 years ago

(upgrading slf4j to make it easier to choose slf4j backends)

rnewson commented 2 years ago

noting that log4j 1.x is not vulnerable to Log4Shell but this incident reminded us to look again. It is inappropriate to force one of slf4j's backends on consumers of clouseau and this PR corrects that.

juanjopb commented 2 years ago

Hello @rnewson It's possible to create a new release with this new changes?

Removing the hard dependency means, to remove the line "-Dlog4j.configuration=file:/opt/clouseau/log4j.properties" of the Java run?

Thanks

rnewson commented 2 years ago

It removes log4j entirely. But please note that log4j 1.x is not susceptible to log4shell. If that's why you're asking for a release.

juanjopb commented 2 years ago

@rnewson Sorry to ask again, how can I get the binaries or an release of the new versions without the log4j...? I have some installations that are being reported by the security team even knowing that it is a non-vulnerable version.

rnewson commented 2 years ago

The release already happened (2.21.0) but it seems it hasn't been tagged here. I'll nudge.