Downgrade cron-utils to 9.2.0 #873
Conversation
Motivation: We have upgraded cron-utils to 9.2.1 to address [CVE-2021-41269](GHSA-p9m8-27x8-rg87). The 9.2.1 version uses slf4j2 that must be used with logback 1.3 or 1.4. Because we use logback 1.2 version in Armeria, we need to exclude slf4j2: line#872 Just excluding slf4j should be okay because cron-utils isn't using any APIs that are introduced after slf4j 2.0: https://github.com/search?q=repo%3Ajmrozanec%2Fcron-utils+slf4j&type=code However, there's no guarantee that cron-utils won't use the new APIs in the future. So, I think we should stop upgrading it until there's another CVE is found or Armeria uses higher version of Logback and Slf4j.\ While, I'm working on this I found out that cron-utils 9.2.0, which is one micro version eariler, uses Slf4j 1.x which is compatible with Armeria so it's better to use that version. Modification: - Downgrade cron-utils to 9.2.0 Result: - Resovle dependency conflict for server module.
|
I have checked that there's no SLF4J2 in the classpath for the server. |
dist/src/conf/logback.xml
Outdated
| @@ -37,6 +37,7 @@ | |||
| <logger name="com.github.benmanes.caffeine.cache" level="ERROR" /> | |||
| <logger name="com.linecorp" level="INFO" /> | |||
| <logger name="com.linecorp.centraldogma" level="DEBUG" /> | |||
| <logger name="com.linecorp.centraldogma.server.internal.mirror" level="INFO" /> | |||
There was a problem hiding this comment.
I found out that GitSshdSessionFactory from Apache MINA, which is Inherited by the DefaultGitSshdSessionFactory Central Dogma class, produces verbose debug outputs.
GitSshdSessionFactory creates the logger with its class name, which is DefaultGitSshdSessionFactory in this case, so they are all logged by the <logger name="com.linecorp.centraldogma" level="DEBUG" />.
2023-08-26 00:38:06.468 [DEBUG](c.l.c.s.i.m.GitWithAuth$DefaultGitSshdSessionFactory$1) [mirroring-worker-6-1] Connecting to ...
2023-08-26 00:38:06.537 [DEBUG](c.l.c.s.i.m.GitWithAuth$DefaultGitSshdSessionFactory$1) [mirroring-worker-6-1] Connected to ...
2023-08-26 00:38:06.537 [DEBUG](c.l.c.s.i.m.GitWithAuth$DefaultGitSshdSessionFactory$1) [mirroring-worker-6-1] Authenticating: ClientSessionImpl[git@...]
.....
6-1] Stopped SshClient[3c45db89]
There was a problem hiding this comment.
Can we extract the class (...$1) into a top-level class and adjust the log level for that specific class only?
There was a problem hiding this comment.
There are two separate DefaultGitSshdSessionFactory anonymous classes in the file.
Let me just use the class specifically:
<logger name="com.linecorp.centraldogma.server.internal.mirror.GitWithAuth$DefaultGitSshdSessionFactory" level="INFO" />
Codecov ReportPatch coverage has no change and project coverage change:
Additional details and impacted files@@ Coverage Diff @@
## main #873 +/- ##
============================================
- Coverage 65.69% 65.66% -0.03%
+ Complexity 3350 3349 -1
============================================
Files 358 358
Lines 13893 13893
Branches 1496 1496
============================================
- Hits 9127 9123 -4
- Misses 3914 3918 +4
Partials 852 852 ☔ View full report in Codecov by Sentry. |
|
Thanks for the review and sorry for causing the issue. 😅 |
Motivation:
We have upgraded cron-utils to 9.2.1 to address CVE-2021-41269. The 9.2.1 version uses slf4j2 that must be used with logback 1.3 or 1.4. Because we use logback 1.2 version in Armeria, we need to exclude slf4j2: #872.
Just excluding slf4j should be okay because cron-utils isn't using any APIs that are introduced after slf4j 2.0: https://github.com/search?q=repo%3Ajmrozanec%2Fcron-utils+slf4j&type=code
However, there's no guarantee that cron-utils won't use the new APIs in the future. So, I think we should stop upgrading it until there's another CVE is found or Armeria uses higher version of Logback and Slf4j.\
While, I'm working on this I found out that cron-utils 9.2.0, which is one micro version eariler, uses Slf4j 1.x which is compatible with Armeria so it's better to use that version.
Modification:
Result: