This is an automated email from the ASF dual-hosted git repository.
wu-sheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git
The following commit(s) were added to refs/heads/master by this push:
new 95a296e2c8 Let Spring Boot manage logback (matched) - clears 4
logback-core CVE alerts (#13916)
95a296e2c8 is described below
commit 95a296e2c810e6280b16975dd411e9c595a16836
Author: 吴晟 Wu Sheng <[email protected]>
AuthorDate: Fri Jun 19 11:24:25 2026 +0800
Let Spring Boot manage logback (matched) - clears 4 logback-core CVE alerts
(#13916)
#13913 pinned logback-classic to 1.2.13 while Spring Boot kept logback-core
at
1.2.6 (mismatch -> NoSuchMethodError -> lua e2e hang). #13915 fixed the
hang by
adding an explicit logback-core 1.2.13 dep, but that made Dependabot flag
logback-core (4 CVEs patched only in logback 1.3.x/1.5.x, which need SLF4J
2.0 /
Java 17 - unreachable on this Java-8 / Spring Boot 2.5 fixture).
Drop the explicit logback pins entirely and let spring-boot-dependencies
manage
both logback-classic and logback-core to the same version (1.2.6). Matched
versions never trigger the NoSuchMethodError, and a BOM-managed (not
declared)
logback-core is not flagged by Dependabot - so the 4 alerts clear without
shipping a vulnerable declared dependency, and the lua fix is preserved.
---
.../java-test-service/e2e-service-provider/pom.xml | 19 ++++++-------------
1 file changed, 6 insertions(+), 13 deletions(-)
diff --git a/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
b/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
index 122151f3df..b8c86e60f1 100644
--- a/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
+++ b/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
@@ -35,7 +35,6 @@
<properties>
<log4j2.version>2.25.4</log4j2.version>
- <logback.version>1.2.13</logback.version>
</properties>
<dependencies>
@@ -75,20 +74,14 @@
<version>${log4j2.version}</version>
</dependency>
<dependency>
+ <!-- No explicit version: let spring-boot-dependencies manage BOTH
+ logback-classic and logback-core to the same version so they
never
+ mismatch. A classic newer than the managed core makes
logback-classic's
+ ThrowableProxy call OptionHelper.isNotEmtpy() (absent in the
older core),
+ throwing NoSuchMethodError when logging an exception. Java 8
/ Spring
+ Boot 2.x keeps this on the logback 1.2.x line. -->
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
- <version>${logback.version}</version>
- </dependency>
- <dependency>
- <!-- Pin logback-core to the same version as logback-classic.
Spring Boot's
- dependency management otherwise holds logback-core at an
older version
- (1.2.6), and logback-classic 1.2.13's ThrowableProxy calls
- OptionHelper.isNotEmtpy() which only exists in the matching
core, so
- logging any exception throws NoSuchMethodError and kills the
request
- thread. -->
- <groupId>ch.qos.logback</groupId>
- <artifactId>logback-core</artifactId>
- <version>${logback.version}</version>
</dependency>
<dependency>
<groupId>org.apache.skywalking</groupId>