From cba2b53e32d1b4d812ce346656e6658d62ea4aed Mon Sep 17 00:00:00 2001
From: Simon Brandhof <simon.brandhof@sonarsource.com>
Date: Fri, 13 Oct 2017 15:02:57 +0200
Subject: [PATCH] Upgrade logback and SLF4j

Logback 1.1.x suffers from https://nvd.nist.gov/vuln/detail/CVE-2017-5929,
which has been fixed in 1.2.0. This vulnerability can't be exploited
because the Logback socket server is not enabled. Nevertheless
upgrading is a best practice.
---
 pom.xml                                                    | 4 ++--
 .../main/java/org/sonar/process/logging/LogbackHelper.java | 4 +++-
 .../java/org/sonar/process/logging/LogbackHelperTest.java  | 7 +++++--
 .../org/sonar/server/app/ProgrammaticLogbackValve.java     | 2 +-
 4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/pom.xml b/pom.xml
index fcdd755dc02..612f6acc758 100644
--- a/pom.xml
+++ b/pom.xml
@@ -72,8 +72,8 @@
     <sonarUpdateCenter.version>1.18.0.487</sonarUpdateCenter.version>
     <h2.version>1.3.176</h2.version>
     <jetty.version>8.1.12.v20130726</jetty.version>
-    <logback.version>1.1.7</logback.version>
-    <slf4j.version>1.7.24</slf4j.version>
+    <logback.version>1.2.3</logback.version>
+    <slf4j.version>1.7.25</slf4j.version>
 
     <!-- Be aware that Log4j is used by Elasticsearch client -->
     <log4j.version>2.8.2</log4j.version>
diff --git a/server/sonar-process/src/main/java/org/sonar/process/logging/LogbackHelper.java b/server/sonar-process/src/main/java/org/sonar/process/logging/LogbackHelper.java
index 5cee5492ddb..a548f9d29c6 100644
--- a/server/sonar-process/src/main/java/org/sonar/process/logging/LogbackHelper.java
+++ b/server/sonar-process/src/main/java/org/sonar/process/logging/LogbackHelper.java
@@ -35,6 +35,7 @@ import ch.qos.logback.core.rolling.FixedWindowRollingPolicy;
 import ch.qos.logback.core.rolling.RollingFileAppender;
 import ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy;
 import ch.qos.logback.core.rolling.TimeBasedRollingPolicy;
+import ch.qos.logback.core.util.FileSize;
 import java.io.File;
 import java.util.Arrays;
 import java.util.Collection;
@@ -342,7 +343,8 @@ public class LogbackHelper extends AbstractLogHelper {
       String filePath = new File(logsDir, filenamePrefix + ".log").getAbsolutePath();
       appender.setFile(filePath);
 
-      SizeBasedTriggeringPolicy<ILoggingEvent> trigger = new SizeBasedTriggeringPolicy<>(size);
+      SizeBasedTriggeringPolicy<ILoggingEvent> trigger = new SizeBasedTriggeringPolicy<>();
+      trigger.setMaxFileSize(FileSize.valueOf(size));
       trigger.setContext(context);
       trigger.start();
       appender.setTriggeringPolicy(trigger);
diff --git a/server/sonar-process/src/test/java/org/sonar/process/logging/LogbackHelperTest.java b/server/sonar-process/src/test/java/org/sonar/process/logging/LogbackHelperTest.java
index 2f6643bdb29..434372dcd5e 100644
--- a/server/sonar-process/src/test/java/org/sonar/process/logging/LogbackHelperTest.java
+++ b/server/sonar-process/src/test/java/org/sonar/process/logging/LogbackHelperTest.java
@@ -32,6 +32,7 @@ import ch.qos.logback.core.rolling.FixedWindowRollingPolicy;
 import ch.qos.logback.core.rolling.RollingFileAppender;
 import ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy;
 import ch.qos.logback.core.rolling.TimeBasedRollingPolicy;
+import ch.qos.logback.core.util.FileSize;
 import com.google.common.collect.ImmutableList;
 import com.tngtech.java.junit.dataprovider.DataProvider;
 import com.tngtech.java.junit.dataprovider.DataProviderRunner;
@@ -41,6 +42,7 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 import org.apache.commons.lang.RandomStringUtils;
+import org.apache.commons.lang.reflect.FieldUtils;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Rule;
@@ -238,7 +240,7 @@ public class LogbackHelperTest {
   }
 
   @Test
-  public void createRollingPolicy_size() {
+  public void createRollingPolicy_size() throws Exception {
     props.set("sonar.log.rollingPolicy", "size:1MB");
     props.set("sonar.log.maxFiles", "20");
     LoggerContext ctx = underTest.getRootContext();
@@ -253,7 +255,8 @@ public class LogbackHelperTest {
     assertThat(rollingPolicy.getMaxIndex()).isEqualTo(20);
     assertThat(rollingPolicy.getFileNamePattern()).endsWith("sonar.%i.log");
     SizeBasedTriggeringPolicy triggeringPolicy = (SizeBasedTriggeringPolicy) fileAppender.getTriggeringPolicy();
-    assertThat(triggeringPolicy.getMaxFileSize()).isEqualTo("1MB");
+    FileSize maxFileSize = (FileSize)FieldUtils.readField(triggeringPolicy, "maxFileSize", true);
+    assertThat(maxFileSize.getSize()).isEqualTo(1024L * 1024);
   }
 
   @Test
diff --git a/server/sonar-server/src/main/java/org/sonar/server/app/ProgrammaticLogbackValve.java b/server/sonar-server/src/main/java/org/sonar/server/app/ProgrammaticLogbackValve.java
index 13852282626..00d0c5ebbea 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/app/ProgrammaticLogbackValve.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/app/ProgrammaticLogbackValve.java
@@ -36,7 +36,7 @@ public class ProgrammaticLogbackValve extends LogbackValve {
   public void startInternal() throws LifecycleException {
     try {
       // direct coupling with LogbackValve implementation
-      FieldUtils.writeField(this, "executorService", ExecutorServiceUtil.newExecutorService(), true);
+      FieldUtils.writeField(this, "scheduledExecutorService", ExecutorServiceUtil.newScheduledExecutorService(), true);
       FieldUtils.writeField(this, "started", true, true);
       setState(LifecycleState.STARTING);
     } catch (IllegalAccessException e) {