ramanathan1504 commented on issue #3804:
URL:
https://github.com/apache/logging-log4j2/issues/3804#issuecomment-3217429384
Hi @ppkarwasz ,
Thanks for the guidance on this issue! I followed your suggestion and did a
deep dive into how different Maven versions affect the build, and also looked
into the history of the Log4j build to pinpoint the origin of the problem. The
results are very interesting and I think they help narrow down the problem.
### Part 1: Investigation of Maven Versions for Log4j `2.25.1`
I started by testing the `2.25.1` build with older Maven versions. The
conclusion is that the `cyclonedx.xml` issue is present in all supported Maven
versions for the project (`3.8.1` and newer), so simply downgrading does not
solve the problem. In fact, downgrading makes the build worse by introducing
new `.module` file failures.
<details>
<summary>Click to view all Maven version test logs for 2.25.1</summary>
* **Maven 3.9.8 Log (`ko=30`):**
```
version=2.25.1
ko=30
koFiles="log4j-bom-2.25.1-cyclonedx.xml
log4j-api-2.25.1-sources.jar..."
```
* **Maven 3.9.5 Log (`ko=59`):**
```
version=2.25.1
ko=59
koFiles="log4j-bom-2.25.1-cyclonedx.xml log4j-api-2.25.1-sources.jar
log4j-api-2.25.1.module..."
```
* **Maven 3.8.8 Log (`ko=59`):**
```
version=2.25.1
ko=59
koFiles="log4j-bom-2.25.1-cyclonedx.xml log4j-api-2.25.1-sources.jar
log4j-api-2.25.1.module..."
```
* **Maven 3.6.3 Failure Log:**
```
[ERROR] Detected Maven Version: 3.6.3 is not in the allowed range
[3.8.1,).
```
</details>
---
### Part 2: Finding the Origin in Log4j's History
Since the Maven version wasn't the key, I went back through older Log4j
releases to see when the `cyclonedx.xml` issue first appeared. This turned out
to be very informative and has pinpointed the exact moment the behavior changed.
Here is the timeline I found:
* **`2.25.1`:** The build has `ko=30`, with
`log4j-bom-2.25.1-cyclonedx.xml` being one of the failures.
* **`2.25.0`:** The build has `ko=1`, and the **only failure** is
`log4j-bom-2.25.0-cyclonedx.xml`. This confirms your observation.
* **`2.23.1`:** The `log4j-bom-2.23.1-cyclonedx.xml` file **failed**
(`ko=90` overall).
* **`2.23.0`:** The `log4j-bom-2.23.0-cyclonedx.xml` file was
**reproducible** (`ok`).
* **`2.22.1` & `2.22.0`:** The `cyclonedx.xml` file was also
**reproducible** (`ok`).
* **`2.21.1`:** The `cyclonedx-maven-plugin` was not yet used in the build.
<details>
<summary>Click to view all historical Log4j build logs</summary>
* **Log4j 2.25.1 (`ko=30`):**
```
version=2.25.1
ko=30
koFiles="log4j-bom-2.25.1-cyclonedx.xml
log4j-api-2.25.1-sources.jar..."
```
* **Log4j 2.25.0 (`ko=1`):**
```
version=2.25.0
ok=148
ko=1
koFiles="log4j-bom-2.25.0-cyclonedx.xml"
```
* **Log4j 2.23.1 (`ko=90`):**
```
version=2.23.1
ko=90
koFiles="log4j-bom-2.23.1-cyclonedx.xml log4j-api-2.23.1.jar..."
```
* **Log4j 2.23.0 (`ko=22`):**
```
version=2.23.0
ko=22
okFiles="...log4j-bom-2.23.0-cyclonedx.xml..."
```
* **Log4j 2.22.1 (`ko=1`):**
```
version=2.22.1
ko=1
okFiles="...log4j-bom-2.22.1-cyclonedx.xml..."
```
* **Log4j 2.22.0 (`ko=22`):**
```
version=2.22.0
ko=22
okFiles="...log4j-bom-2.22.0-cyclonedx.xml..."
```
* **Log4j 2.21.1 (`ko=1`):**
```
version=2.21.1
ko=1
# cyclonedx.xml file is not present in build results
```
</details>
---
### **Summary**
This data suggests that the non-deterministic behavior is a latent issue in
Maven that is being triggered by a specific change made **inside the Log4j
project between versions `2.23.0` and `2.23.1`**.
The `cyclonedx-maven-plugin` was introduced in version `2.22.0` and was
reproducible for several releases. However, a change to the project's
dependencies or build configuration in `2.23.1` began to trigger the
non-deterministic ordering from Maven that persists today.
Hopefully, this helps narrow down the search for the root cause. Please let
me know what you think or what I can investigate next.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
