search

elucidation-project / elucidation

Track and generate real time microservice dependency relationships
MIT License
0 stars 0 forks source link

Investigate adding Maven enforcer bans on certain logging dependencies #32

Open sleberknight opened 1 year ago

sleberknight commented 1 year ago

We used to have the following in the root POM:

            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-enforcer-plugin</artifactId>
                <version>${maven-enforcer-plugin.version}</version>
                <executions>
                    <execution>
                        <id>enforce</id>
                        <configuration>
                            <rules>
                                <dependencyConvergence />
                                <bannedDependencies>
                                    <excludes>
                                        <!-- As recommended from slf4j guide, exclude commons-logging -->
                                        <exclude>commons-logging:commons-logging</exclude>
                                        <!-- Ensure only the slf4j binding for logback is on the classpath -->
                                        <exclude>log4j:log4j</exclude>
                                        <!-- This should not exist as it will force slf4j calls to be delegated to JUL -->
                                        <exclude>org.slf4j:slf4j-jdk14</exclude>
                                        <!-- This should not exist as it will force slf4j calls to be delegated to log4j -->
                                        <exclude>org.slf4j:slf4j-log4j12</exclude>
                                    </excludes>
                                </bannedDependencies>
                                <requireMavenVersion>
                                    <version>3.3.9</version>
                                </requireMavenVersion>
                            </rules>
                        </configuration>
                        <goals>
                            <goal>enforce</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>

This told Maven Enforcer to ban several logging frameworks for reasons described in the SLF4J Bridging legacy APIs page and StackOverflowError due to things like having both jcl-over-slf4j.jar AND slf4j-jcl.jar on the class path.

kiwi's parent POM does not have these, I think because they use the SLF4J API but don't enforce a specific logging back-end such as Logback or Log4J2. However, as elucidation is a Dropwizard service, it uses Logback as the logging provider, and therefore we do not want any other logging providers on the classpath.

So, does it make sense to add these back in to elucidation? I don't think it makes sense to add these bans to kiwi-parent, but it might make sense to add them here in elucidation.

sleberknight commented 1 year ago

Also see this gist which is similar but has slightly different syntax, e.g. it uses just commons-logging while we used (in the original POM) commons-logging:commons-logging.

If we choose to add these back, we should test this (functionally) by adding the enforcer bans, and then adding each banned dependency to the POM individually and making sure that Maven Enforcer enforces and fails the build until they are removed.