[jira] [Updated] (GEODE-10545) Migrate Log4j Integration Tests to log4j-core-test

[Jinwoo Hwang (Jira)]

     [ 
https://issues.apache.org/jira/browse/GEODE-10545?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jinwoo Hwang updated GEODE-10545:
---------------------------------
    Description: 
h1. Migrate Log4j Integration Tests to log4j-core-test 
h2. Summary

Migrate geode-log4j integration tests from deprecated Log4j test utilities to 
the new {{log4j-core-test}} artifact with updated package structure for Log4j 
2.20.0+ compatibility.
h2. Background

Log4j 2.20.0 restructured test artifacts for JPMS compliance. Test utilities 
({{{}LoggerContextRule{}}}, {{{}ListAppender{}}}) moved from classifier-based 
artifacts to a separate {{log4j-core-test}} module with new package names.

*Old Packages (2.17.2):*
 * {{org.apache.logging.log4j.junit.LoggerContextRule}}
 * {{org.apache.logging.log4j.test.appender.ListAppender}}

*New Packages (2.22.0+):*
 * {{org.apache.logging.log4j.core.test.junit.LoggerContextRule}}
 * {{org.apache.logging.log4j.core.test.appender.ListAppender}}

h2. Changes Required
h3. 1. Add Dependency

*File:* {{geode-log4j/build.gradle}}
{code:groovy}
integrationTestImplementation('org.apache.logging.log4j:log4j-core-test')
{code}
h3. 2. Update Dependency Management

*File:* 
{{build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy}}

Add {{log4j-core-test}} to the log4j dependency set:
{code:groovy}
dependencySet(group: 'org.apache.logging.log4j', version: get('log4j.version')) 
{
  entry('log4j-api')
  entry('log4j-core')
  entry('log4j-core-test')  // Add this
  ...
}
{code}
h3. 3. Update Integration Test Imports

Update 21 integration test files with new package imports:
 * AlertAppenderIntegrationTest.java
 * BothLogWriterAppendersIntegrationTest.java
 * CacheWithCustomLogConfigIntegrationTest.java
 * ConfigurationWithLogLevelChangesIntegrationTest.java
 * ConsoleAppenderWithLoggerContextRuleIntegrationTest.java
 * DistributedSystemWithBothLogWriterAppendersIntegrationTest.java
 * DistributedSystemWithLogLevelChangesIntegrationTest.java
 * FastLoggerIntegrationTest.java
 * GemfireVerboseMarkerFilterAcceptIntegrationTest.java
 * GemfireVerboseMarkerFilterDenyIntegrationTest.java
 * GeodeConsoleAppenderIntegrationTest.java
 * GeodeConsoleAppenderWithCacheIntegrationTest.java
 * GeodeConsoleAppenderWithSystemOutRuleIntegrationTest.java
 * GeodeVerboseMarkerFilterAcceptIntegrationTest.java
 * GeodeVerboseMarkerFilterDenyIntegrationTest.java
 * LogServiceWithCustomLogConfigIntegrationTest.java
 * LogWriterAppenderIntegrationTest.java
 * LogWriterAppenderShutdownIntegrationTest.java
 * LogWriterAppenderWithLimitsIntegrationTest.java
 * LogWriterAppenderWithMemberNameInXmlIntegrationTest.java
 * SecurityLogWriterAppenderIntegrationTest.java

h2. Acceptance Criteria
 * {{log4j-core-test}} dependency added to geode-log4j module
 * Dependency management updated in DependencyConstraints.groovy
 * All 21 integration test files updated with new imports
 * Integration tests compile successfully
 * All integration tests pass
 * Full build passes including spotlessCheck
 * No test logic changes

h2. References
 * Apache Log4j JIRA: LOG4J2-3650
 * Mailing list: 
[https://lists.apache.org/thread/mfc5llrbtzb94pmyw401jlf3kn6llp9r]
 * Related: GEODE-10543 (Log4j 2.17.2 → 2.25.3 upgrade)

  was:
h1. Log4j Upgrade: 2.17.2 → 2.25.3 (CVE-2025-68161 Remediation)
h2. Overview

This document outlines the plan to upgrade Apache Log4j from version *2.17.2* 
to *2.25.3* to remediate the security vulnerability 
[CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161].
h2. Vulnerability Details

*CVE ID:* [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
*Current Version:* 2.17.2
*Target Version:* 2.25.3
*Severity:* MEDIUM
*Impact:* Security vulnerability in Log4j requiring immediate remediation
h2. Files Requiring Updates

The following files and locations reference Log4j 2.17.2 and need to be updated:
h3. Build Configuration
 * 
{{build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy}}
 ** Update {{deps.put("log4j.version", "2.17.2")}} to 
{{deps.put("log4j.version", "2.25.3")}}

h3. Documentation Files
 * {{geode-docs/managing/logging/configuring_log4j2.html.md.erb}}
 ** Update references from 2.17.2 to 2.25.3 (lines 39-41, 45, 48)
 * {{geode-docs/managing/logging/how_logging_works.html.md.erb}}
 ** Update references from 2.17.2 to 2.25.3 (lines 24, 26)
 * 
{{geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb}}
 ** Update JAR references from 2.17.2 to 2.25.3 (lines 111-113)

h3. Test Resources
 * 
{{geode-assembly/src/acceptanceTest/resources/gradle-test-projects/management/build.gradle}}
 ** Update hardcoded version from 2.17.2 to 2.25.3 (line 28)
 * 
{{geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt}}
 ** Update JAR names from 2.17.2 to 2.25.3 (lines 35-39)
 * {{geode-assembly/src/integrationTest/resources/assembly_content.txt}}
 ** Update JAR names from 2.17.2 to 2.25.3 (lines 1015-1018)

h2. Implementation Steps
 # *Update Dependency Version*
 ** Modify {{DependencyConstraints.groovy}} to set log4j.version to 2.25.3
 # *Update Documentation*
 ** Update all documentation files to reference the new version
 ** Verify download links and documentation still point to valid resources
 # *Update Test Resources*
 ** Update test configuration files and resource lists
 ** Regenerate or update assembly content lists if automated
 # *Build and Test*
 ** Run full build: {{./gradlew clean build}}
 ** Run unit tests: {{./gradlew test}}
 ** Run integration tests: {{./gradlew integrationTest}}
 ** Run distributed tests: {{./gradlew distributedTest}}
 # *Verify Dependencies*
 ** Check dependency tree: {{./gradlew dependencies}}
 ** Verify no older Log4j versions are transitively included
 # *Security Scan*
 ** Run vulnerability scan to confirm CVE-2025-68161 is resolved
 ** Check for any new vulnerabilities introduced

h2. Testing Strategy
h3. Unit Testing
 * Verify all existing unit tests pass with the new Log4j version
 * Focus on logging-related tests in {{geode-log4j}} module

h3. Integration Testing
 * Test logging configurations across different modules
 * Verify Log4j bridge integrations (JUL, SLF4J, JCL) function correctly
 * Test session management logging (Tomcat/WebLogic modules)

h3. Compatibility Testing
 * Verify compatibility with:
 ** Java 17
 ** Different application servers (Tomcat, WebLogic)
 ** Existing log4j2 configuration files

h3. Regression Testing
 * Run full test suite to ensure no functionality is broken
 * Test specific scenarios:
 ** Log file rotation
 ** Custom appenders
 ** Log filtering
 ** Performance benchmarks

h2. Rollback Plan

If issues are discovered after the upgrade:
 # Revert the version change in {{DependencyConstraints.groovy}}
 # Revert documentation changes
 # Rebuild and redeploy with Log4j 2.17.2
 # Document any compatibility issues discovered

h2. Dependencies Impact

The following Geode modules use Log4j and may be affected:
 * {{geode-log4j}} - Core Log4j integration
 * {{geode-gfsh}} - GFSH command-line tool
 * {{geode-tcp-server}} - TCP server implementation
 * {{geode-assembly}} - Distribution assembly
 * {{geode-modules}} - HTTP session management modules

h2. Breaking Changes

Review Log4j [release 
notes|https://logging.apache.org/log4j/2.x/changes-report.html] for versions 
between 2.17.2 and 2.25.3:
 * Identify any deprecated APIs that Geode may be using
 * Check for configuration format changes
 * Review any behavioral changes that could affect Geode

h2. Timeline

*Estimated effort:* 2-3 weeks including testing
 * Week 1: Code changes and initial testing
 * Week 2: Integration and regression testing
 * Week 3: Documentation review and final validation

h2. Success Criteria
 * [ ] All code references to Log4j 2.17.2 updated to 2.25.3
 * [ ] All builds pass successfully
 * [ ] All tests pass (unit, integration, distributed)
 * [ ] CVE-2025-68161 no longer reported in vulnerability scans
 * [ ] No new vulnerabilities introduced
 * [ ] Documentation accurately reflects new version
 * [ ] Release notes updated

h2. References
 * [CVE-2025-68161 Details|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
 * [Log4j 2.x Download|https://logging.apache.org/log4j/2.x/download.html]
 * [Log4j 2.x Release 
Notes|https://logging.apache.org/log4j/2.x/changes-report.html]
 * [Apache Geode Documentation|https://geode.apache.org/docs/]

h2. Risks and Mitigations
||Risk||Impact||Likelihood||Mitigation||
|Breaking API changes in Log4j|High|Low|Review release notes thoroughly; test 
extensively|
|Transitive dependency conflicts|Medium|Medium|Use {{./gradlew dependencies}} 
to identify conflicts|
|Performance degradation|Medium|Low|Run performance benchmarks before/after 
upgrade|
|Configuration incompatibilities|Medium|Low|Test with various log4j2.xml 
configurations|
|Module-specific issues|High|Medium|Test all HTTP session management modules 
thoroughly|
h2. Communication Plan
 * Notify development team of planned upgrade
 * Update JIRA ticket with progress
 * Document any issues encountered during testing
 * Share test results with team before merge
 * Update release notes for next Geode release

 


> Migrate Log4j Integration Tests to log4j-core-test
> --------------------------------------------------
>
>                 Key: GEODE-10545
>                 URL: https://issues.apache.org/jira/browse/GEODE-10545
>             Project: Geode
>          Issue Type: Improvement
>            Reporter: Jinwoo Hwang
>            Assignee: Jinwoo Hwang
>            Priority: Major
>             Fix For: 2.0.1
>
>
> h1. Migrate Log4j Integration Tests to log4j-core-test 
> h2. Summary
> Migrate geode-log4j integration tests from deprecated Log4j test utilities to 
> the new {{log4j-core-test}} artifact with updated package structure for Log4j 
> 2.20.0+ compatibility.
> h2. Background
> Log4j 2.20.0 restructured test artifacts for JPMS compliance. Test utilities 
> ({{{}LoggerContextRule{}}}, {{{}ListAppender{}}}) moved from classifier-based 
> artifacts to a separate {{log4j-core-test}} module with new package names.
> *Old Packages (2.17.2):*
>  * {{org.apache.logging.log4j.junit.LoggerContextRule}}
>  * {{org.apache.logging.log4j.test.appender.ListAppender}}
> *New Packages (2.22.0+):*
>  * {{org.apache.logging.log4j.core.test.junit.LoggerContextRule}}
>  * {{org.apache.logging.log4j.core.test.appender.ListAppender}}
> h2. Changes Required
> h3. 1. Add Dependency
> *File:* {{geode-log4j/build.gradle}}
> {code:groovy}
> integrationTestImplementation('org.apache.logging.log4j:log4j-core-test')
> {code}
> h3. 2. Update Dependency Management
> *File:* 
> {{build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy}}
> Add {{log4j-core-test}} to the log4j dependency set:
> {code:groovy}
> dependencySet(group: 'org.apache.logging.log4j', version: 
> get('log4j.version')) {
>   entry('log4j-api')
>   entry('log4j-core')
>   entry('log4j-core-test')  // Add this
>   ...
> }
> {code}
> h3. 3. Update Integration Test Imports
> Update 21 integration test files with new package imports:
>  * AlertAppenderIntegrationTest.java
>  * BothLogWriterAppendersIntegrationTest.java
>  * CacheWithCustomLogConfigIntegrationTest.java
>  * ConfigurationWithLogLevelChangesIntegrationTest.java
>  * ConsoleAppenderWithLoggerContextRuleIntegrationTest.java
>  * DistributedSystemWithBothLogWriterAppendersIntegrationTest.java
>  * DistributedSystemWithLogLevelChangesIntegrationTest.java
>  * FastLoggerIntegrationTest.java
>  * GemfireVerboseMarkerFilterAcceptIntegrationTest.java
>  * GemfireVerboseMarkerFilterDenyIntegrationTest.java
>  * GeodeConsoleAppenderIntegrationTest.java
>  * GeodeConsoleAppenderWithCacheIntegrationTest.java
>  * GeodeConsoleAppenderWithSystemOutRuleIntegrationTest.java
>  * GeodeVerboseMarkerFilterAcceptIntegrationTest.java
>  * GeodeVerboseMarkerFilterDenyIntegrationTest.java
>  * LogServiceWithCustomLogConfigIntegrationTest.java
>  * LogWriterAppenderIntegrationTest.java
>  * LogWriterAppenderShutdownIntegrationTest.java
>  * LogWriterAppenderWithLimitsIntegrationTest.java
>  * LogWriterAppenderWithMemberNameInXmlIntegrationTest.java
>  * SecurityLogWriterAppenderIntegrationTest.java
> h2. Acceptance Criteria
>  * {{log4j-core-test}} dependency added to geode-log4j module
>  * Dependency management updated in DependencyConstraints.groovy
>  * All 21 integration test files updated with new imports
>  * Integration tests compile successfully
>  * All integration tests pass
>  * Full build passes including spotlessCheck
>  * No test logic changes
> h2. References
>  * Apache Log4j JIRA: LOG4J2-3650
>  * Mailing list: 
> [https://lists.apache.org/thread/mfc5llrbtzb94pmyw401jlf3kn6llp9r]
>  * Related: GEODE-10543 (Log4j 2.17.2 → 2.25.3 upgrade)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)