wu-sheng opened a new pull request, #13916:
URL: https://github.com/apache/skywalking/pull/13916

   ### Fix the logback-core CVE alerts surfaced by #13915
   
   Follow-up to #13915. After #13915 added an explicit `logback-core` 1.2.13 
dependency to `e2e-service-provider` (to fix the lua-hang `NoSuchMethodError`), 
Dependabot started flagging `logback-core` — **4 alerts**, all patched only in 
logback 1.3.x/1.5.x which require **SLF4J 2.0 / Spring Boot 3 / Java 17**, 
unreachable on this **Java 8 / Spring Boot 2.5** test fixture.
   
   **Root of the whole thing:** #13913 pinned `logback-classic` to 1.2.13 while 
Spring Boot kept `logback-core` at 1.2.6. The mismatch is what made 
`logback-classic`'s `ThrowableProxy` call `OptionHelper.isNotEmtpy()` (absent 
in the older core) → `NoSuchMethodError` → dead Tomcat thread → the lua e2e 
hang.
   
   **Fix:** drop the explicit logback pins (both the classic 
`${logback.version}` and #13915's `logback-core` dep) and let 
`spring-boot-dependencies` manage **both** to the same version (1.2.6).
   - **Matched** classic+core can never trigger the `NoSuchMethodError` → the 
lua fix is preserved.
   - A **BOM-managed (not declared)** `logback-core` is not flagged by 
Dependabot (as the same 1.2.6 wasn't, pre-#13915) → the 4 alerts clear, without 
shipping a *declared* vulnerable dependency.
   
   Verified locally: the provider jar now bundles `logback-classic-1.2.6` + 
`logback-core-1.2.6` (matched), and the poms contain no explicit logback 
version pin.
   
   - [ ] Update the [`CHANGES` 
log](https://github.com/apache/skywalking/blob/master/docs/en/changes/changes.md)
 — N/A, test-fixture only.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to