Upgrade logback and SLF4j

Logback 1.1.x suffers from https://nvd.nist.gov/vuln/detail/CVE-2017-5929,
which has been fixed in 1.2.0. This vulnerability can't be exploited
because the Logback socket server is not enabled. Nevertheless
upgrading is a best practice.

diff --git a/pom.xml b/pom.xml
index fcdd755dc026d52b076d1701e4896b5677b0132c..612f6acc75824ae403d37cb4ee372a1173b52876 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -72,8 +72,8 @@
     <sonarUpdateCenter.version>1.18.0.487</sonarUpdateCenter.version>
     <h2.version>1.3.176</h2.version>
     <jetty.version>8.1.12.v20130726</jetty.version>
-    <logback.version>1.1.7</logback.version>
-    <slf4j.version>1.7.24</slf4j.version>
+    <logback.version>1.2.3</logback.version>
+    <slf4j.version>1.7.25</slf4j.version>
 
     <!-- Be aware that Log4j is used by Elasticsearch client -->
     <log4j.version>2.8.2</log4j.version>

diff --git a/server/sonar-process/src/main/java/org/sonar/process/logging/LogbackHelper.java b/server/sonar-process/src/main/java/org/sonar/process/logging/LogbackHelper.java
index 5cee5492ddb232485394cc51b3ee443fb7cabfbc..a548f9d29c68ba8cd4da608c4b0055d8362916ce 100644 (file)
--- a/server/sonar-process/src/main/java/org/sonar/process/logging/LogbackHelper.java
+++ b/server/sonar-process/src/main/java/org/sonar/process/logging/LogbackHelper.java
@@ -35,6 +35,7 @@ import ch.qos.logback.core.rolling.FixedWindowRollingPolicy;
 import ch.qos.logback.core.rolling.RollingFileAppender;
 import ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy;
 import ch.qos.logback.core.rolling.TimeBasedRollingPolicy;
+import ch.qos.logback.core.util.FileSize;
 import java.io.File;
 import java.util.Arrays;
 import java.util.Collection;
@@ -342,7 +343,8 @@ public class LogbackHelper extends AbstractLogHelper {
       String filePath = new File(logsDir, filenamePrefix + ".log").getAbsolutePath();
       appender.setFile(filePath);
 
-      SizeBasedTriggeringPolicy<ILoggingEvent> trigger = new SizeBasedTriggeringPolicy<>(size);
+      SizeBasedTriggeringPolicy<ILoggingEvent> trigger = new SizeBasedTriggeringPolicy<>();
+      trigger.setMaxFileSize(FileSize.valueOf(size));
       trigger.setContext(context);
       trigger.start();
       appender.setTriggeringPolicy(trigger);

diff --git a/server/sonar-process/src/test/java/org/sonar/process/logging/LogbackHelperTest.java b/server/sonar-process/src/test/java/org/sonar/process/logging/LogbackHelperTest.java
index 2f6643bdb297c83a8b9142f19631e22208fd1384..434372dcd5e54dc38f989612c3ee288c71ad39b7 100644 (file)
--- a/server/sonar-process/src/test/java/org/sonar/process/logging/LogbackHelperTest.java
+++ b/server/sonar-process/src/test/java/org/sonar/process/logging/LogbackHelperTest.java
@@ -32,6 +32,7 @@ import ch.qos.logback.core.rolling.FixedWindowRollingPolicy;
 import ch.qos.logback.core.rolling.RollingFileAppender;
 import ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy;
 import ch.qos.logback.core.rolling.TimeBasedRollingPolicy;
+import ch.qos.logback.core.util.FileSize;
 import com.google.common.collect.ImmutableList;
 import com.tngtech.java.junit.dataprovider.DataProvider;
 import com.tngtech.java.junit.dataprovider.DataProviderRunner;
@@ -41,6 +42,7 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 import org.apache.commons.lang.RandomStringUtils;
+import org.apache.commons.lang.reflect.FieldUtils;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Rule;
@@ -238,7 +240,7 @@ public class LogbackHelperTest {
   }
 
   @Test
-  public void createRollingPolicy_size() {
+  public void createRollingPolicy_size() throws Exception {
     props.set("sonar.log.rollingPolicy", "size:1MB");
     props.set("sonar.log.maxFiles", "20");
     LoggerContext ctx = underTest.getRootContext();
@@ -253,7 +255,8 @@ public class LogbackHelperTest {
     assertThat(rollingPolicy.getMaxIndex()).isEqualTo(20);
     assertThat(rollingPolicy.getFileNamePattern()).endsWith("sonar.%i.log");
     SizeBasedTriggeringPolicy triggeringPolicy = (SizeBasedTriggeringPolicy) fileAppender.getTriggeringPolicy();
-    assertThat(triggeringPolicy.getMaxFileSize()).isEqualTo("1MB");
+    FileSize maxFileSize = (FileSize)FieldUtils.readField(triggeringPolicy, "maxFileSize", true);
+    assertThat(maxFileSize.getSize()).isEqualTo(1024L * 1024);
   }
 
   @Test

diff --git a/server/sonar-server/src/main/java/org/sonar/server/app/ProgrammaticLogbackValve.java b/server/sonar-server/src/main/java/org/sonar/server/app/ProgrammaticLogbackValve.java
index 1385228262678175918f337cce8c0d2be569bf31..00d0c5ebbeaaecf22fd6cbb2cae22322b823d5b8 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/app/ProgrammaticLogbackValve.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/app/ProgrammaticLogbackValve.java
@@ -36,7 +36,7 @@ public class ProgrammaticLogbackValve extends LogbackValve {
   public void startInternal() throws LifecycleException {
     try {
       // direct coupling with LogbackValve implementation
-      FieldUtils.writeField(this, "executorService", ExecutorServiceUtil.newExecutorService(), true);
+      FieldUtils.writeField(this, "scheduledExecutorService", ExecutorServiceUtil.newScheduledExecutorService(), true);
       FieldUtils.writeField(this, "started", true, true);
       setState(LifecycleState.STARTING);
     } catch (IllegalAccessException e) {