RE: Feedback on some analysis I'm doing

2021-12-15 Thread Conrad T. Pino
Hi Rahul, I can't comment much on Jenkins internals but my professional work includes full migration to SLF4J with LogBack implementation while still using 3rd party libraries depending upon other logging frameworks. While evaluating our Log4j exposure I revisited SLF4J pages: *

Re: Feedback on some analysis I'm doing

2021-12-14 Thread 'Jesse Glick' via Jenkins Developers
Please refer to https://www.jenkins.io/doc/developer/plugin-development/dependencies-and-class-loading/ for background. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send

Re: Feedback on some analysis I'm doing

2021-12-14 Thread 'rsomas...@netflix.com' via Jenkins Developers
Thanks Jesse & boa...@! I get it now. Does it make sense to get plugins to stop using libraries already in jenkins-core's dependency tree? i.e. are those libraries part of the contract? If they can be considered guaranteed by jenkins-core, we can just remove the dependencies. If they can't, th

Re: Feedback on some analysis I'm doing

2021-12-13 Thread 'Jesse Glick' via Jenkins Developers
On Mon, Dec 13, 2021 at 1:35 PM 'rsomas...@netflix.com' via Jenkins Developers wrote: > That suggests that Jenkins Core would prefer plugins to use slf4j-api. If > that's the case, all plugins that depend on jenkins-core should use > slf4j-api > No, Jenkins core uses java.util.logging, and the g

Re: Feedback on some analysis I'm doing

2021-12-13 Thread Matt Sicker
Note that some plugins (like audit-log) use log4j-api due to slf4j-api not supporting non-String messages (e.g., audit log structured data messages, syslog metadata, etc.). Promoting logging APIs to an API plugin may require some care in implementation. Also, Jenkins' UI for recording and viewing l

Re: Feedback on some analysis I'm doing

2021-12-13 Thread Basil Crow
On Mon, Dec 13, 2021 at 11:22 AM 'rsomas...@netflix.com' via Jenkins Developers wrote: > > While sometimes […] it is about security […] > Other times, it's mostly about reducing redundant libraries […] Indeed. > Other common libraries are > com.google.code.gson gson 2.8

Re: Feedback on some analysis I'm doing

2021-12-13 Thread 'rsomas...@netflix.com' via Jenkins Developers
While sometimes (like log4j-core) it is about security and owasp can help. Other times, it's mostly about reducing redundant libraries - like slf4j-api or log4j-api. Other common libraries are ❯ csvsql "SELECT jarGroupId, jarArtifactId, jarVersion, count(*) as CT FROM plugin-jars.csv GROUP BY ja

Re: Feedback on some analysis I'm doing

2021-12-13 Thread Basil Crow
Might be interesting to look into adding something like OWASP Dependency-Check to the parent POM and plugin parent POM , with suppressions for existing false positives