wu-sheng opened a new pull request, #13916:
URL: https://github.com/apache/skywalking/pull/13916
### Fix the logback-core CVE alerts surfaced by #13915
Follow-up to #13915. After #13915 added an explicit `logback-core` 1.2.13
dependency to `e2e-service-provider` (to fix the lua-hang `NoSuchMethodError`),
Dependabot started flagging `logback-core` — **4 alerts**, all patched only in
logback 1.3.x/1.5.x which require **SLF4J 2.0 / Spring Boot 3 / Java 17**,
unreachable on this **Java 8 / Spring Boot 2.5** test fixture.
**Root of the whole thing:** #13913 pinned `logback-classic` to 1.2.13 while
Spring Boot kept `logback-core` at 1.2.6. The mismatch is what made
`logback-classic`'s `ThrowableProxy` call `OptionHelper.isNotEmtpy()` (absent
in the older core) → `NoSuchMethodError` → dead Tomcat thread → the lua e2e
hang.
**Fix:** drop the explicit logback pins (both the classic
`${logback.version}` and #13915's `logback-core` dep) and let
`spring-boot-dependencies` manage **both** to the same version (1.2.6).
- **Matched** classic+core can never trigger the `NoSuchMethodError` → the
lua fix is preserved.
- A **BOM-managed (not declared)** `logback-core` is not flagged by
Dependabot (as the same 1.2.6 wasn't, pre-#13915) → the 4 alerts clear, without
shipping a *declared* vulnerable dependency.
Verified locally: the provider jar now bundles `logback-classic-1.2.6` +
`logback-core-1.2.6` (matched), and the poms contain no explicit logback
version pin.
- [ ] Update the [`CHANGES`
log](https://github.com/apache/skywalking/blob/master/docs/en/changes/changes.md)
— N/A, test-fixture only.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]