[BEAM-12422] Vendored gRPC: Removing unnecessary log4j-api dependency #15098
Conversation
Vendored gRPC 1.36.0 was using a log4j version with security issues. gRPC does not declare log4j dependency. It uses java.util.logging for logging. Therefore removing the dependency.
| "org/apache/log4j/**", | ||
| "org/apache/logging/log4j/**", |
There was a problem hiding this comment.
I confirmed that the resulting JAR does not contain log4j classes.
suztomo-macbookpro44% jar tf vendor/grpc-1_36_0/build/libs/beam-vendor-grpc-1_36_0-0.2.jar |grep log4j
suztomo-macbookpro44%
|
Run Python Precommit |
|
Run Java_Examples_Dataflow PreCommit |
|
Run Java_Examples_Dataflow PreCommit |
|
Run Python Precommit |
Codecov Report
@@ Coverage Diff @@
## master #15098 +/- ##
==========================================
+ Coverage 82.55% 83.77% +1.21%
==========================================
Files 455 439 -16
Lines 55143 59245 +4102
==========================================
+ Hits 45526 49630 +4104
+ Misses 9617 9615 -2
Continue to review full report at Codecov.
|
|
R: @iemejia |
|
Thanks @suztomo! |
| @@ -70,7 +70,6 @@ class GrpcVendoring_1_36_0 { | |||
| return [ | |||
| 'com.google.errorprone:error_prone_annotations:2.4.0', | |||
| 'commons-logging:commons-logging:1.2', | |||
| 'org.apache.logging.log4j:log4j-api:2.6.2', | |||
There was a problem hiding this comment.
I don't think this is what we wanted to do.
The idea has always been to have the vendored libraries expose some runtime deps as not everything should be relocated (e.g. logging shouldn't be relocated otherwise we lose logging from the relocated code). We should have just bumped the version to something that doesn't have the security issue and is compatible with the 2.6.2 version.
Ditto on the exclusions, we specifically keep them to prevent relocating logging stuff and other libs that can't be relocated.
There was a problem hiding this comment.
Created #15113 to address this.
There was a problem hiding this comment.
Turns out netty attempts to load various loggers so this change was always ok. #15113 removes the additional logging libs.
Vendored gRPC 1.36.0 was using a log4j version with security issues. https://issues.apache.org/jira/browse/BEAM-12422
gRPC does not declare log4j dependency. It uses java.util.logging for logging. Therefore this PR removes the dependency.
How I tested this
I created #15103 to confirm the vendored gRPC works fine by installing the vendored gRPC into local Maven repository. The checks passed:
Linkage Checker
There's no reference to log4j-api in the result of Linkage Checker:
https://gist.github.com/suztomo/4719cedebd20887b0a0dcd50f0f5a4f2
Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:
R: @username).[BEAM-XXX] Fixes bug in ApproximateQuantiles, where you replaceBEAM-XXXwith the appropriate JIRA issue, if applicable. This will automatically link the pull request to the issue.CHANGES.mdwith noteworthy changes.See the Contributor Guide for more tips on how to make review process smoother.
ValidatesRunnercompliance status (on master branch)Examples testing status on various runners
Post-Commit SDK/Transform Integration Tests Status (on master branch)
Pre-Commit Tests Status (on master branch)
See .test-infra/jenkins/README for trigger phrase, status and link of all Jenkins jobs.
GitHub Actions Tests Status (on master branch)
See CI.md for more information about GitHub Actions CI.