This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 8e69696ef022a6e322d4a7ea3ad31d349bdc1232 Author: Piotr P. Karwasz <[email protected]> AuthorDate: Mon Nov 6 16:19:27 2023 +0100 Check security bugs reported in other modules --- .../log4j/flume/appender/FlumePersistentManager.java | 13 +++++++++++++ .../apache/logging/log4j/flume/appender/package-info.java | 2 +- .../org/apache/logging/log4j/jul/Log4jBridgeHandler.java | 7 ++++++- .../java/org/apache/logging/log4j/jul/package-info.java | 2 +- .../logging/log4j/layout/template/json/util/Uris.java | 9 +++++++++ log4j-perf/pom.xml | 7 +++---- 6 files changed, 33 insertions(+), 7 deletions(-) diff --git a/log4j-flume-ng/src/main/java/org/apache/logging/log4j/flume/appender/FlumePersistentManager.java b/log4j-flume-ng/src/main/java/org/apache/logging/log4j/flume/appender/FlumePersistentManager.java index aa32f7cf33..6eb8d91ee7 100644 --- a/log4j-flume-ng/src/main/java/org/apache/logging/log4j/flume/appender/FlumePersistentManager.java +++ b/log4j-flume-ng/src/main/java/org/apache/logging/log4j/flume/appender/FlumePersistentManager.java @@ -48,6 +48,7 @@ import com.sleepycat.je.LockMode; import com.sleepycat.je.OperationStatus; import com.sleepycat.je.StatsConfig; import com.sleepycat.je.Transaction; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.flume.Event; import org.apache.flume.event.SimpleEvent; import org.apache.logging.log4j.LoggingException; @@ -171,6 +172,10 @@ public class FlumePersistentManager extends FlumeAvroManager { } @Override + @SuppressFBWarnings( + value = {"CIPHER_INTEGRITY", "ECB_MODE"}, + justification = "Work-in-progress: https://github.com/apache/logging-log4j2/issues/1947"; + ) public void send(final Event event) { if (worker.isShutdown()) { throw new LoggingException("Unable to record event"); @@ -384,6 +389,10 @@ public class FlumePersistentManager extends FlumeAvroManager { * @return The FlumeKratiManager. */ @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the directory is provided in a configuration file." + ) public FlumePersistentManager createManager(final String name, final FactoryData data) { SecretKey secretKey = null; Database database = null; @@ -777,6 +786,10 @@ public class FlumePersistentManager extends FlumeAvroManager { return errors; } + @SuppressFBWarnings( + value = {"CIPHER_INTEGRITY", "ECB_MODE"}, + justification = "Work-in-progress: https://github.com/apache/logging-log4j2/issues/1947"; + ) private SimpleEvent createEvent(final DatabaseEntry data) { final SimpleEvent event = new SimpleEvent(); try { diff --git a/log4j-flume-ng/src/main/java/org/apache/logging/log4j/flume/appender/package-info.java b/log4j-flume-ng/src/main/java/org/apache/logging/log4j/flume/appender/package-info.java index 9ea0704d3d..77dac0c5d4 100644 --- a/log4j-flume-ng/src/main/java/org/apache/logging/log4j/flume/appender/package-info.java +++ b/log4j-flume-ng/src/main/java/org/apache/logging/log4j/flume/appender/package-info.java @@ -19,7 +19,7 @@ */ @Export @Open("org.apache.logging.log4j.core") -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.flume.appender; import aQute.bnd.annotation.jpms.Open; diff --git a/log4j-jul/src/main/java/org/apache/logging/log4j/jul/Log4jBridgeHandler.java b/log4j-jul/src/main/java/org/apache/logging/log4j/jul/Log4jBridgeHandler.java index a2087d90af..9b41c3330f 100644 --- a/log4j-jul/src/main/java/org/apache/logging/log4j/jul/Log4jBridgeHandler.java +++ b/log4j-jul/src/main/java/org/apache/logging/log4j/jul/Log4jBridgeHandler.java @@ -25,6 +25,7 @@ import java.util.Set; import java.util.function.Consumer; import java.util.logging.LogRecord; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.LoggerContext; import org.apache.logging.log4j.core.config.Configuration; import org.apache.logging.log4j.core.config.LoggerConfig; @@ -137,7 +138,11 @@ public class Log4jBridgeHandler extends java.util.logging.Handler implements Con /** Perform init. of this handler with given configuration (typical use is for constructor). */ - protected void init(boolean debugOutput, String suffixToAppend, boolean propagateLevels) { + @SuppressFBWarnings( + value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE", + justification = "The data is available only in debug mode." + ) + protected void init(boolean debugOutput, String suffixToAppend, boolean propagateLevels) { this.doDebugOutput = debugOutput; if (debugOutput) { new Exception("DIAGNOSTIC ONLY (sysout): Log4jBridgeHandler instance created (" + this + ")") diff --git a/log4j-jul/src/main/java/org/apache/logging/log4j/jul/package-info.java b/log4j-jul/src/main/java/org/apache/logging/log4j/jul/package-info.java index ad9d54ef40..dd22747306 100644 --- a/log4j-jul/src/main/java/org/apache/logging/log4j/jul/package-info.java +++ b/log4j-jul/src/main/java/org/apache/logging/log4j/jul/package-info.java @@ -15,7 +15,7 @@ * limitations under the license. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.jul; import org.osgi.annotation.bundle.Export; diff --git a/log4j-layout-template-json/src/main/java/org/apache/logging/log4j/layout/template/json/util/Uris.java b/log4j-layout-template-json/src/main/java/org/apache/logging/log4j/layout/template/json/util/Uris.java index 694d0eaa96..5182e64e63 100644 --- a/log4j-layout-template-json/src/main/java/org/apache/logging/log4j/layout/template/json/util/Uris.java +++ b/log4j-layout-template-json/src/main/java/org/apache/logging/log4j/layout/template/json/util/Uris.java @@ -30,6 +30,7 @@ import java.util.ArrayList; import java.util.List; import java.util.Objects; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.status.StatusLogger; import org.apache.logging.log4j.util.LoaderUtil; @@ -93,6 +94,10 @@ public final class Uris { } } + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The uri parameter comes from aconfiguration file." + ) private static String readFileUri( final URI uri, final Charset charset) @@ -103,6 +108,10 @@ public final class Uris { } } + @SuppressFBWarnings( + value = "URLCONNECTION_SSRF_FD", + justification = "The uri parameter comes fro a configuration file." + ) private static String readClassPathUri( final URI uri, final Charset charset) diff --git a/log4j-perf/pom.xml b/log4j-perf/pom.xml index 7f13277e17..964b033eea 100644 --- a/log4j-perf/pom.xml +++ b/log4j-perf/pom.xml @@ -30,10 +30,9 @@ <description>The Apache Log4j development-time performance tests</description> <properties> - <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> - <log4jParentDir>${basedir}/..</log4jParentDir> - <docLabel>Apache Log4J Performance Tests</docLabel> - <projectDir>/log4j-perf</projectDir> + <!-- Ignore less important (high rank) bugs for test artifacts --> + <spotbugs.maxRank>9</spotbugs.maxRank> + <uberjar.name>benchmarks</uberjar.name> <bnd.baseline.skip>true</bnd.baseline.skip> <maven.deploy.skip>true</maven.deploy.skip>
