Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Modeling » TMF (Xtext) » Log4j 1.x updates to Log4j2
Log4j 1.x updates to Log4j2 [message #1849049] Thu, 30 December 2021 19:27 Go to next message
Guchen Wang is currently offline Guchen WangFriend
Messages: 1
Registered: December 2021
Junior Member
The latest version of xtext is still using log4j 1.x, which is out of date and has vulnerability. Is it possible to move up the version to log4j2 or exclude it.

Report message to a moderator

Re: Log4j 1.x updates to Log4j2 [message #1849053 is a reply to message #1849049] Fri, 31 December 2021 05:26 Go to previous messageGo to next message
Christian Dietrich is currently offline Christian DietrichFriend
Messages: 14665
Registered: July 2009
Senior Member
https://github.com/eclipse/xtext-core/issues/1363

Twitter : @chrdietrich
Blog : https://www.dietrich-it.de

Report message to a moderator

Re: Log4j 1.x updates to Log4j2 [message #1849054 is a reply to message #1849053] Fri, 31 December 2021 05:51 Go to previous messageGo to next message
Ed Willink is currently offline Ed WillinkFriend
Messages: 7655
Registered: July 2009
Senior Member
Hi

Pretty much the whole of Eclipse uses Log4J 1.2.15 in a safe and trivial fashion. Moving before the the platform and EMF seems like a needless risk.

Regards

Ed Willink

Report message to a moderator

Re: Log4j 1.x updates to Log4j2 [message #1849055 is a reply to message #1849054] Fri, 31 December 2021 08:27 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33137
Registered: July 2009
Senior Member
The platform does not use log4j. EMF uses log4j only in the Xcore UI components and all those could simply be removed (replaced with something that doesn't use a library) except where Xtext generates the use of it, e.g., org.eclipse.emf.ecore.xcore.ui.internal.XcoreActivator.logger.. So Xtext really does need to address this before EMF does and I see no risk in any case; the logger is not exposed in any APIS.

Ed Merks
Professional Support: https://www.macromodeling.com/

Report message to a moderator

Re: Log4j 1.x updates to Log4j2 [message #1849060 is a reply to message #1849055] Fri, 31 December 2021 14:22 Go to previous message
Ed Willink is currently offline Ed WillinkFriend
Messages: 7655
Registered: July 2009
Senior Member
Hi

The Plugin Dependencies View claims that many EMF UI plugins such edit.ui, codegen.core.ui require log4j.

However when I look closer it seems that the org.eclipse.xtext.logging fragment creates a loop that makes the display thoroughly untrustworthy.

IIRC when we moved to 1.2.15 there was considerable pain as one or two projects were distinctly tardy in responding to the responsibilities of simultaneous participation. I fear that a major change will again incur pain for very little obvious benefit. Presumably any project that exploits Xtext such as OCL or Papyrus will find that they have a conflict until all dependencies are compatible. If Xtext is to move, it should happen ASAP to maximize the opportunities for tardy projects to respond.

Regards

Ed Willink

Report message to a moderator

Previous Topic:Handling of backslash
Next Topic:Validator context based
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Apr 20 03:32:38 GMT 2024

Powered by FUDForum. Page generated in 0.03494 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly