search

logstash-plugins / logstash-input-tcp

Apache License 2.0
35 stars 75 forks source link

Update log4j, make runtime rely only on log4j-api (5.x branch, support LS 6.x) #189

Closed yaauie closed 2 years ago

yaauie commented 2 years ago

By making our runtime rely only on log4j-api, we ensure that our distributed artifacts don't include log4j-core, and eliminate a potential duplicate from appearing on the classpath.

Due to the way Logstash works, its own log4j-core is already loaded before plugins are loaded, so the presence of log4j-core in this plugin isn't a problem in and of itself, but can cause scanners to emit false-positives.

yaauie commented 2 years ago

Observe that log4j-core only appears in test:


------------------------------------------------------------
Root project
------------------------------------------------------------

apiElements - API elements for main. (n)
No dependencies

archives - Configuration for archive artifacts.
No dependencies

compile - Dependencies for source set 'main' (deprecated, use 'implementation ' instead).
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0

compileClasspath - Compile classpath for source set 'main'.
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0

compileOnly - Compile only dependencies for source set 'main'.
No dependencies

default - Configuration for default artifacts.
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0

implementation - Implementation only dependencies for source set 'main'. (n)
No dependencies

runtime - Runtime dependencies for source set 'main' (deprecated, use 'runtimeOnly ' instead).
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0

runtimeClasspath - Runtime classpath of source set 'main'.
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0

runtimeElements - Elements of runtime for main. (n)
No dependencies

runtimeOnly - Runtime only dependencies for source set 'main'. (n)
No dependencies

shadow
No dependencies

testCompile - Dependencies for source set 'test' (deprecated, use 'testImplementation ' instead).
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0

testCompileClasspath - Compile classpath for source set 'test'.
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
+--- org.apache.logging.log4j:log4j-api:2.16.0
\--- org.apache.logging.log4j:log4j-core:2.16.0
     \--- org.apache.logging.log4j:log4j-api:2.16.0

testCompileOnly - Compile only dependencies for source set 'test'.
No dependencies

testImplementation - Implementation only dependencies for source set 'test'. (n)
\--- org.apache.logging.log4j:log4j-core:2.16.0 (n)

testRuntime - Runtime dependencies for source set 'test' (deprecated, use 'testRuntimeOnly ' instead).
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
\--- org.apache.logging.log4j:log4j-api:2.16.0

testRuntimeClasspath - Runtime classpath of source set 'test'.
+--- io.netty:netty-all:4.1.18.Final
+--- io.netty:netty-tcnative-boringssl-static:2.0.7.Final
+--- commons-io:commons-io:2.5
+--- org.apache.logging.log4j:log4j-api:2.16.0
\--- org.apache.logging.log4j:log4j-core:2.16.0
     \--- org.apache.logging.log4j:log4j-api:2.16.0

testRuntimeOnly - Runtime only dependencies for source set 'test'. (n)
No dependencies

(*) - dependencies omitted (listed previously)

(n) - Not resolved (configuration is not meant to be resolved)

And that the generated jar dependency does not contain log4j-core:

╭─{ yaauie@limbo:~/src/elastic/logstash-plugins/logstash-input-tcp (✔ 5.x-log4j) }
╰─● unzip -l vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/5.2.4/logstash-input-tcp-5.2.4.jar | grep log4j-    
        0  12-15-2021 10:13   META-INF/maven/org.apache.logging.log4j/log4j-api/
    14045  12-12-2021 23:40   META-INF/maven/org.apache.logging.log4j/log4j-api/pom.xml
      100  12-12-2021 23:40   META-INF/maven/org.apache.logging.log4j/log4j-api/pom.properties
[success]
yaauie commented 2 years ago

Build failure is due to an open dependency on logstash-devutils; I'm working to mitigate by pinning to the minor release of that dependency that was current when this branch was last used.