fix(deps): upgrade slf4j and logback#8306
Conversation
|
@chadlwilson would you consider this a breaking change? I know in #8049 you suggested making core an uber jar - I haven't tackled that yet. |
There was a problem hiding this comment.
Pull request overview
This PR upgrades the project’s SLF4J + Logback versions and updates the Ant integration to use SLF4J 2.x’s SLF4JServiceProvider mechanism (replacing the SLF4J 1.x StaticLoggerBinder approach).
Changes:
- Bump dependency versions:
slf4j.versionto2.0.17andlogback.versionto1.5.25. - Replace Ant SLF4J 1.x static binder with an SLF4J 2.x service provider + task holder.
- Update Ant tasks to register the current Ant
Taskvia the new holder.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| pom.xml | Updates SLF4J and Logback versions used across modules. |
| ant/src/main/resources/META-INF/services/org.slf4j.spi.SLF4JServiceProvider | Adds SLF4J 2.x ServiceLoader descriptor for the Ant logging provider. |
| ant/src/main/java/org/slf4j/impl/package-info.java | Removes SLF4J 1.x binder package documentation. |
| ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java | Removes SLF4J 1.x static binder implementation. |
| ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java | Switches task registration from StaticLoggerBinder to AntTaskHolder. |
| ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java | Switches task registration from StaticLoggerBinder to AntTaskHolder. |
| ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java | Switches task registration from StaticLoggerBinder to AntTaskHolder. |
| ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntTaskHolder.java | Introduces static holder for the current Ant Task. |
| ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntSlf4jServiceProvider.java | Implements SLF4J 2.x SLF4JServiceProvider for Ant logging integration. |
| ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerFactory.java | Updates logger factory to use the new adapter construction model. |
| ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java | Reworks adapter to implement SLF4J 2.x Logger directly and pull task from the holder. |
Comments suppressed due to low confidence (1)
ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerFactory.java:44
- AntLoggerFactory currently ignores the requested logger name and always returns the same AntLoggerAdapter instance. This breaks SLF4J’s expectation that Logger#getName reflects the category requested by callers (and makes per-package filtering impossible). Consider caching adapters by name (e.g., ConcurrentHashMap<String, AntLoggerAdapter>) and ensuring each adapter returns the name it was created for.
private final AntLoggerAdapter antLoggerAdapter = new AntLoggerAdapter();
/**
* Returns the Ant logger adapter.
*
* @param name ignored in this implementation
* @return the Ant logger adapter
*/
@Override
public Logger getLogger(String name) {
return antLoggerAdapter;
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java
Show resolved
Hide resolved
ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java
Outdated
Show resolved
Hide resolved
ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntSlf4jServiceProvider.java
Show resolved
Hide resolved
ant/src/main/resources/META-INF/services/org.slf4j.spi.SLF4JServiceProvider
Show resolved
Hide resolved
ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntTaskHolder.java
Outdated
Show resolved
Hide resolved
I'd assume it's not a breaking change, personally - unless you know many folks who consume ODC core as a library, I'd probably just try it :-) In practice, I suspect for many maven and gradle users they'll have other plugins that already have slf4j 2 API on the classpath, and it'll be using for ODC anyway since the classpaths aren't segregated. Gradle itself still bundles the slf4j 1.7 API I believe, but we'd not using any new stuff from the 2.x API, so I don't think it'll be an issue? But if anything is going to be an issue other than In any case, if we run the tests rebased on #8292 once merged, we'll have even more confidence (since the |
|
@jeremylong I've opened a new pull request, #8310, to work on those changes. Once the pull request is ready, I'll request review from you. |
|
@jeremylong I've opened a new pull request, #8311, to work on those changes. Once the pull request is ready, I'll request review from you. |
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jeremylong <862914+jeremylong@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jeremylong <862914+jeremylong@users.noreply.github.com>
|
I have manually tested this change in the gradle plugin and everything appears to be working as expected. |
Note that this is 100% AI generated PR. I still have a bit of testing to do to ensure everything is working as expected.