While I’m hopeful the following changes can be merged into a future release, I certainly understand if it goes against the JTS design and the PR is rejected.
I replaced dozens - if not hundreds - of calls to System.out and System.err with calls to a logger. I also removed several calls that print stacktraces (which,
personally, I’d prefer to keep, but we are required to remove they as they are declared to expose vulnerabilities).
I didn’t take the time to consider all of the uses for the System.out/err calls (tests, etc.). I just replaced them with calls to the SLF4J logger – mostly info
level unless it was an obvious error such as in catch blocks, so they will work with the “simple” logging implementation I added, with test scope, in an attempt to minimize any changes to the way things operate now.
I also “fixed” a vulnerability Fortify reported in org.locationtech.jts.io.gml2.GeometryStrategies.
I’ll work to get these changes into a pull request tomorrow for review. I’m leaving in the logger calls for our requirements. Again, I understand if it goes
against design and the PR is rejected.
Much obliged for all comments thus far.
From: jts-dev <jts-dev-bounces@xxxxxxxxxxx>
On Behalf Of Martin Davis
Sent: Wednesday, March 30, 2022 5:40 PM
To: JTS project developer mailing list <jts-dev@xxxxxxxxxxx>
Subject: [EXTERNAL] Re: [jts-dev] Modify JTS Core to use a logging framework
EXTERNAL EMAIL -- This message originates from outside of SAIC
There should be no calls to System.out or System.err in the JTS core (apart from the Debug class). If you find any they are probably left over from debugging and can be removed (and feel free to request they are removed from the codebase
via a PR, GH issue, or email).
Also by design JTS doesn't do any logging. Where do you see that being added?
Hello,
This is my first time posting to your mailing list, so please excuse any breaches of protocol/decorum.
I work on a project that uses JTS Core (thank you for all of your hard work); however, to be permissible for us to use it we must perform a static code
analysis on the source code (using Fortify) and mitigate the findings. This is a time consuming process and it must be repeated each time we upgrade versions of your software. This is my first time performing the task for JTS Core. From what I understand
other developers on our team have previously found, most of the findings involve removing calls System.out, System.err and printing stacktraces (because stacktraces reveal potential vulnerabilities).
I am planning to fork the JTS repo and modify it to use a logging framework in lieu of the aforementioned outputs. I would like to do so in a way that
will both benefit the community and that would allow committing those changes so this process will be less time consuming for future upgrades.
My proposal is to use the Simple Logging Facade for Java (SLF4J) as doing so allows users of the library to decide the underlying logging framework to
use without having to modify the source code and by simply adding the dependency for the chosen framework to the runtime classpath. It is also my understanding that SLF4J is compatible with Android, so I would not expect using it to impose restrictions for
that platform.
I’m looking for feedback so I can provide the most benefit to the community and increase the likelihood the community will accept a pull request with
the modifications so they will be included in future releases. Any feedback will be greatly appreciated.
Thanks in advance,
Phil Bryant
Senior Principal Software Engineer
SAIC Inc.
5021 Bradford Drive
Huntsville, Alabama 35806
Phillip.L.Bryant@xxxxxxxx
phillip.l.bryant4.ctr@xxxxxxxx
The information contained in this e-mail and any attachments from Science Applications International Corporation ("SAIC") may contain confidential and/or proprietary information, and is intended only for the named recipient to whom it was
originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail
and permanently delete the e-mail and any attachments.
_______________________________________________
jts-dev mailing list
jts-dev@xxxxxxxxxxx
To unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jts-dev
The information contained in this e-mail and any attachments from Science Applications International Corporation ("SAIC") may contain confidential and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed.
If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete
the e-mail and any attachments.