search

qos-ch / reload4j

reload4j is a drop-in replacement for log4j 1.2.17
Apache License 2.0
148 stars 22 forks source link

programatic version is broken #37

Closed noname713705 closed 2 years ago

noname713705 commented 2 years ago

Actually, it is broken since log4j:log4j:1.2.15 and above.

The problem is that, due to error in the generated META-INF/MANIFEST.MF , it is not possible to determine the version of log4j / reload4j programatically. This is due to an invalide Name: entry in the manifest.

This is a problem because it is then difficult to log, or access the reload4j version from code (for example, to check if you let the CVEs behind..)

I'm not sure if I can make a pull request on reload4j, put the following git diff fixes the problem for me:

diff --git a/pom.xml b/pom.xml
index 1f54ec10..579cedc5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -202,11 +202,19 @@
         <version>${maven-jar-plugin.version}</version>
         <configuration>
           <archive>
+            <manifest>
+              <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+            </manifest>
             <manifestEntries>
               <Multi-Release>true</Multi-Release>
               <X-Compile-Source-JDK>${maven.compiler.source}</X-Compile-Source-JDK>
               <X-Compile-Target-JDK>${maven.compiler.target}</X-Compile-Target-JDK>
             </manifestEntries>
+            <manifestSections>
+              <manifestSection>
+                <name>org/apache/log4j/</name>
+              </manifestSection>
+            </manifestSections>
             <manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile>
           </archive>
         </configuration>

Sample code for programatically acessing the version (as for other maven artifacts), but only works with a built jar:

    @Test
    public void testLog4jVersion() {
        String implementationVersion = org.apache.log4j.PatternLayout.class.getPackage().getImplementationVersion();
        LOGGER.warn("log4j.version="+implementationVersion);
        assertNotNull(implementationVersion);
    }
ceki commented 2 years ago

The <addDefaultImplementationEntries>true</addDefaultImplementationEntries> is indeed useful. Regarding the PatternLayout.class.getPackage().getImplementationVersion(); call, once addDefaultImplementationEntries is effective, you do not need to add the name entry.

Also note that, testLog4jVersion() test must be located outside the reload4j project/module to let the the jar plugin do its work.

ceki commented 2 years ago

Fixed in 75907003bbf