Comments (5)
Thanks all for flagging this regression and the initial investigation made last week.
This initially came as a surprise as I am confident that I had checked the client & server JARs while working on this upgrade. Checking out v5.6.12
and re-running ./build.py clean build-dev
earlier, I was also unable to reproduce this issue at first and the dist/lib/server
and dist/lib/client
folders contained neither log4j
, jcommander
or other test dependencies.
As highlighted by this thread, some significant changes have been made in Ivy in between versions 2.4.0 and 2.5.0. Even though the build was running with Ivy 2.5.2, one issue is that my local Maven repository cache under ~/.m2
was populated with dependencies fetched using Ivy 2.4.0. After cleaning my local ~/.m2
directory, a re-execution of ./build.py clean build-dev
forced a fresh resolution of all artifacts from scratch and was sufficient to reproduce the issue above i.e. log4j.jar
is now copied under dist/lib/client
and dist/lib/server
. This observation is consistent with the fact that the GitHub workflow generating the release artifacts is using a clean Maven workspace.
Trying to understand the source of this regression, an analysis of the dependencies shows that the log4j
artifact is (incorrectly) fetched as a dependency of jul-to-slf4j
declared in the top-level ivy.xml
file. Comparing the two Maven repository caches (~/.m2.bak
formerly populated using Ivy 2.4.0 and ~/.m2
populated using Ivy 2.5.2), the primary difference can be identified in the content of the Ivy XML files
sbesson@Sebastiens-MacBook-Pro-3 openmicroscopy % diff ~/.m2/repository/org/slf4j/jul-to-slf4j/1.7.30/ivy-1.7.30.xml ~/.m2.bak/repository/org/slf4j/jul-to-slf4j/1.7.30/ivy-1.7.30.xml
9d8
< <license name="MIT License" url="http://www.opensource.org/licenses/mit-license.php" />
40c39
< <conf name="test" visibility="public" description="this scope indicates that the dependency is not required for normal use of the application, and is only available for the test compilation and execution phases." extends="runtime"/>
---
> <conf name="test" visibility="private" description="this scope indicates that the dependency is not required for normal use of the application, and is only available for the test compilation and execution phases." extends="runtime"/>
55,56d53
< <override org="org.slf4j" module="slf4j-api" matcher="exact" rev="1.7.30"/>
< <override org="org.slf4j" module="slf4j-jdk14" matcher="exact" rev="1.7.30"/>
58a56,57
> <override org="org.slf4j" module="slf4j-jdk14" matcher="exact" rev="1.7.30"/>
> <override org="org.slf4j" module="slf4j-api" matcher="exact" rev="1.7.30"/>
This diff is consistent with the change of visibility for the test configuration described in the Ivy 2.5.0 release notes
FIX: Made the Maven 'test' configuration public so we can use the test-jar as dependency ([IVY-1444](https://issues.apache.org/jira/browse/IVY-1444))
As suggested in the issue description, this change in configuration visibility currently causes some dependencies declared at the test
scope to be resolved for the client
and server
configurations. Next step will be to review the chain of configuration mapping when invoking these targets. Semi-related, jul-to-slf4j
and jcl-to-slf4j
should likely be bumped to version 2.0.x especially as the underlying slf4j-api
dependency is now 2.x
from openmicroscopy.
This issue has been mentioned on Image.sc Forum. There might be relevant details there:
https://forum.image.sc/t/critical-old-and-unsafe-log4j-jar-file-in-omero-5-6-12/100016/2
from openmicroscopy.
Diff of the client JARs:
--- 5_6_12_client_jars 2024-08-06 10:21:44.699172031 +0000
+++ latest_client_jars 2024-08-06 10:22:02.367277186 +0000
@@ -40,8 +40,6 @@
batik-xml.jar
btm.jar
bufr.jar
-byte-buddy-agent.jar
-byte-buddy.jar
c3p0.jar
calcite-core.jar
calcite-linq4j.jar
@@ -102,7 +100,6 @@
jblosc.jar
jcip-annotations.jar
jcl-over-slf4j.jar
-jcommander.jar
jgoodies-common.jar
jgoodies-forms.jar
jhdf5.jar
@@ -118,7 +115,6 @@
jzarr.jar
kryo.jar
listenablefuture.jar
-log4j.jar
logback-classic.jar
logback-core.jar
lucene-analyzers.jar
@@ -139,8 +135,6 @@
metrics-logback.jar
minio.jar
minlog.jar
-mockito-core.jar
-mockito-inline.jar
native-lib-loader.jar
objenesis.jar
okhttp.jar
@@ -169,8 +163,6 @@
serializer.jar
sketches-core.jar
slf4j-api.jar
-slf4j-jdk14.jar
-slf4j-log4j12.jar
snakeyaml.jar
solr-analysis-extras.jar
solr-commons-csv.jar
@@ -193,7 +185,6 @@
spring-tx.jar
sqlite-jdbc.jar
subethasmtp.jar
-testng.jar
turbojpeg.jar
udunits.jar
xalan.jar
from openmicroscopy.
latest_jars
and latest_client_jars
were produced with a build using #6406.
from openmicroscopy.
JARs that can be safely removed from a 5.6.12 distribution are:
lib/server/byte-buddy-agent.jar
lib/server/byte-buddy.jar
lib/server/jcommander.jar
lib/server/log4j.jar
lib/server/mockito-core.jar
lib/server/mockito-inline.jar
lib/server/slf4j-jdk14.jar
lib/server/slf4j-log4j12.jar
lib/server/testng.jar
lib/client/byte-buddy-agent.jar
lib/client/byte-buddy.jar
lib/client/jcommander.jar
lib/client/log4j.jar
lib/client/mockito-core.jar
lib/client/mockito-inline.jar
lib/client/slf4j-jdk14.jar
lib/client/slf4j-log4j12.jar
lib/client/testng.jar
from openmicroscopy.
Related Issues (20)
- failed upgrade to Omero5.5 - Ice 3.6 not found HOT 2
- More non-parallel test assumptions
- omero db script → psql: identifiers truncated
- Document Python logging properties
- Manage services from the omero settings HOT 1
- missing OMERO.insight-5.4.10-ice36-b105-linux.zip HOT 4
- AdminService load Experimenters and Groups options with GroupExperimenterMap
- Improve performance of graph operations. HOT 2
- Annotations displaced when opening saved qpdata file HOT 1
- Alternate gradle/maven artifactory location? HOT 3
- CZI file Exposure time HOT 4
- Fix JSON API JavaScript login example HOT 1
- Increase the usage of compound assignment operators HOT 1
- Release process review HOT 4
- Remove Pixels name, repo and path columns HOT 3
- OMERO.server: JDK 17 support HOT 1
- Update the OMERO model and API to represent and handle archived data
- Unpin numpy<2 HOT 2
- omero.LockTimeout exception on "omero admin email" HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openmicroscopy.