2

I am using Logback and Slf4j for logging and the configuration is present in form of logback.groovy under src/main/resources which always worked like a charm.

I was about to upgrade my logging configuration to the latest versions available and stumbled upon the unpleasant problem.

The dependency ch.qos.logback:logback-classic:1.2.9 shows a warning:

Failed to instantiate [ch.qos.logback.classic.LoggerContext]
Reported exception:
ch.qos.logback.core.LogbackException: Unexpected filename extension of file [file:/[myproj]/build/resources/main/logback.groovy]. Should be either .groovy or .xml
    at ch.qos.logback.classic.util.ContextInitializer.configureByResource(ContextInitializer.java:67)
    at ch.qos.logback.classic.util.ContextInitializer.autoConfig(ContextInitializer.java:140)
    at org.slf4j.impl.StaticLoggerBinder.init(StaticLoggerBinder.java:84)
    ...

and I checked the code of ch.qos.logback.classic.util.ContextInitializer.configureByResource() of the last working version 1.2.8 and 1.2.9:

// 1.2.8
    public void configureByResource(URL url) throws JoranException {
        if (url == null) {
            throw new IllegalArgumentException("URL argument cannot be null");
        }
        final String urlString = url.toString();
        if (urlString.endsWith("groovy")) {
            if (EnvUtil.isGroovyAvailable()) {
                // avoid directly referring to GafferConfigurator so as to avoid
                // loading groovy.lang.GroovyObject . See also http://jira.qos.ch/browse/LBCLASSIC-214
                GafferUtil.runGafferConfiguratorOn(loggerContext, this, url);
            } else {
                StatusManager sm = loggerContext.getStatusManager();
                sm.add(new ErrorStatus("Groovy classes are not available on the class path. ABORTING INITIALIZATION.", loggerContext));
            }
        } else if (urlString.endsWith("xml")) {
            JoranConfigurator configurator = new JoranConfigurator();
            configurator.setContext(loggerContext);
            configurator.doConfigure(url);
        } else {
            throw new LogbackException("Unexpected filename extension of file [" + url.toString() + "]. Should be either .groovy or .xml");
        }
    }

// 1.2.9
    public void configureByResource(URL url) throws JoranException {
        if (url == null) {
            throw new IllegalArgumentException("URL argument cannot be null");
        }
        final String urlString = url.toString();
        if (urlString.endsWith("xml")) {
            JoranConfigurator configurator = new JoranConfigurator();
            configurator.setContext(loggerContext);
            configurator.doConfigure(url);
        } else {
            throw new LogbackException("Unexpected filename extension of file [" + url.toString() + "]. Should be either .groovy or .xml");
        }
    }

So, the warning might be misguiding, but the code change is obvious: the groovy support was removed although no "deprecation"-warning is provided in the ref-doc.

Why groovy support has been removed?

Why no "logback-groovy" package was introduced to provide support?

P.S. on Project's GitHub there's no "Issues" section, which is odd...

injecteer
  • 20,038
  • 4
  • 45
  • 89

1 Answers1

2

Check point 4 here:

https://logback.qos.ch/news.html#1.2.9

It was in response to CVE-2021-42550. See also LOGBACK-1591.

Removed Groovy configuration support. As logging is so pervasive and configuration with Groovy is probably too powerful, this feature is unlikely to be reinstated for security reasons.

There is a 3rd party plugin which re-adds Groovy support, available here: https://github.com/virtualdogbert/logback-groovy-config

Per Lundberg
  • 3,837
  • 1
  • 36
  • 46
Matthew Donaghey
  • 21
  • 1