This is an automated email from the ASF dual-hosted git repository.

wu-sheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git


The following commit(s) were added to refs/heads/master by this push:
     new 95a296e2c8 Let Spring Boot manage logback (matched) - clears 4 
logback-core CVE alerts (#13916)
95a296e2c8 is described below

commit 95a296e2c810e6280b16975dd411e9c595a16836
Author: 吴晟 Wu Sheng <[email protected]>
AuthorDate: Fri Jun 19 11:24:25 2026 +0800

    Let Spring Boot manage logback (matched) - clears 4 logback-core CVE alerts 
(#13916)
    
    #13913 pinned logback-classic to 1.2.13 while Spring Boot kept logback-core 
at
    1.2.6 (mismatch -> NoSuchMethodError -> lua e2e hang). #13915 fixed the 
hang by
    adding an explicit logback-core 1.2.13 dep, but that made Dependabot flag
    logback-core (4 CVEs patched only in logback 1.3.x/1.5.x, which need SLF4J 
2.0 /
    Java 17 - unreachable on this Java-8 / Spring Boot 2.5 fixture).
    
    Drop the explicit logback pins entirely and let spring-boot-dependencies 
manage
    both logback-classic and logback-core to the same version (1.2.6). Matched
    versions never trigger the NoSuchMethodError, and a BOM-managed (not 
declared)
    logback-core is not flagged by Dependabot - so the 4 alerts clear without
    shipping a vulnerable declared dependency, and the lua fix is preserved.
---
 .../java-test-service/e2e-service-provider/pom.xml    | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml 
b/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
index 122151f3df..b8c86e60f1 100644
--- a/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
+++ b/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
@@ -35,7 +35,6 @@
 
     <properties>
         <log4j2.version>2.25.4</log4j2.version>
-        <logback.version>1.2.13</logback.version>
     </properties>
 
     <dependencies>
@@ -75,20 +74,14 @@
             <version>${log4j2.version}</version>
         </dependency>
         <dependency>
+            <!-- No explicit version: let spring-boot-dependencies manage BOTH
+                 logback-classic and logback-core to the same version so they 
never
+                 mismatch. A classic newer than the managed core makes 
logback-classic's
+                 ThrowableProxy call OptionHelper.isNotEmtpy() (absent in the 
older core),
+                 throwing NoSuchMethodError when logging an exception. Java 8 
/ Spring
+                 Boot 2.x keeps this on the logback 1.2.x line. -->
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
-            <version>${logback.version}</version>
-        </dependency>
-        <dependency>
-            <!-- Pin logback-core to the same version as logback-classic. 
Spring Boot's
-                 dependency management otherwise holds logback-core at an 
older version
-                 (1.2.6), and logback-classic 1.2.13's ThrowableProxy calls
-                 OptionHelper.isNotEmtpy() which only exists in the matching 
core, so
-                 logging any exception throws NoSuchMethodError and kills the 
request
-                 thread. -->
-            <groupId>ch.qos.logback</groupId>
-            <artifactId>logback-core</artifactId>
-            <version>${logback.version}</version>
         </dependency>
         <dependency>
             <groupId>org.apache.skywalking</groupId>

Reply via email to