From e8c82dded94adf2eb893b764b638f8a5a93256a4 Mon Sep 17 00:00:00 2001 From: Kiran Godishala Date: Thu, 21 Sep 2023 23:10:30 +0530 Subject: [PATCH] chore(dependencies): upgrade pf4j from 3.2.0 to 3.10.0 to resolve CVE-2023-40828 pf4j 3.10.0 brings in slf4j-api 2.0.6 which is not compatible with logback 1.2.x. Upgrading logback created incompatibility issues with Springboot's LogbackLoggingSystem. > Task :kork-tomcat:test com.netflix.spinnaker.kork.tomcat.CRLFHeaderTest > clientTest() FAILED java.lang.NoClassDefFoundError at LogbackLoggingSystem.java:293 Caused by: java.lang.ClassNotFoundException at BuiltinClassLoader.java:581 1 test completed, 1 failed Caused by: java.lang.ClassNotFoundException at BuiltinClassLoader.java:581 So, pin slf4j-api to 1.7.36 to retain compatibility with logback to 1.2.x. Removed a test(extensions index is written to META-INF) from TestPluginGeneratorTest.kt as the upgraded pf4j no longer create extensions.idx if no extensions exist.(refer https://github.com/pf4j/pf4j/issues/508) Note: PluginWrapper is deprecated in 3.10.0 and will be removed in the next major release as per this - https://github.com/pf4j/pf4j/pull/512. So next pf4j upgrade would break the functionality of existing plugins. --- .../netflix/kork/plugins/TestPluginGeneratorTest.kt | 10 ---------- .../plugins/repository/PluginRefPluginRepository.kt | 2 +- spinnaker-dependencies/spinnaker-dependencies.gradle | 11 ++++++++++- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/kork-plugins-tck/src/test/kotlin/com/spinnaker/netflix/kork/plugins/TestPluginGeneratorTest.kt b/kork-plugins-tck/src/test/kotlin/com/spinnaker/netflix/kork/plugins/TestPluginGeneratorTest.kt index 228ae6847..c17b0bef5 100644 --- a/kork-plugins-tck/src/test/kotlin/com/spinnaker/netflix/kork/plugins/TestPluginGeneratorTest.kt +++ b/kork-plugins-tck/src/test/kotlin/com/spinnaker/netflix/kork/plugins/TestPluginGeneratorTest.kt @@ -38,16 +38,6 @@ class TestPluginGeneratorTest : JUnit5Minutests { expectThat(resolve("classes")).describedAs("classes directory").isDirectory() } - test("extensions index is written to META-INF") { - expectThat(resolve("classes/META-INF")).and { - isDirectory() - get { resolve("extensions.idx") }.and { - isRegularFile() - get { toFile().readText() }.isEqualTo("# Generated by PF4J\n") - } - } - } - test("generated class is written to subdirectories matching package") { expectThat(resolve("classes/com/netflix/spinnaker/kork/plugins/testplugin/generated")).and { isDirectory() diff --git a/kork-plugins/src/main/kotlin/com/netflix/spinnaker/kork/plugins/repository/PluginRefPluginRepository.kt b/kork-plugins/src/main/kotlin/com/netflix/spinnaker/kork/plugins/repository/PluginRefPluginRepository.kt index 5ff62e71a..4534b3dcb 100644 --- a/kork-plugins/src/main/kotlin/com/netflix/spinnaker/kork/plugins/repository/PluginRefPluginRepository.kt +++ b/kork-plugins/src/main/kotlin/com/netflix/spinnaker/kork/plugins/repository/PluginRefPluginRepository.kt @@ -26,6 +26,6 @@ import org.pf4j.util.ExtensionFileFilter /** * A [PluginRepository] supporting [PluginRef] type [Plugin]s by matching files with the extension [PluginRef.EXTENSION]. */ -class PluginRefPluginRepository(pluginPath: Path) : BasePluginRepository(pluginPath, ExtensionFileFilter(PluginRef.EXTENSION)) { +class PluginRefPluginRepository(pluginPath: Path) : BasePluginRepository(listOf(pluginPath), ExtensionFileFilter(PluginRef.EXTENSION)) { override fun deletePluginPath(pluginPath: Path?): Boolean = false } diff --git a/spinnaker-dependencies/spinnaker-dependencies.gradle b/spinnaker-dependencies/spinnaker-dependencies.gradle index 9151e920e..a2d622736 100644 --- a/spinnaker-dependencies/spinnaker-dependencies.gradle +++ b/spinnaker-dependencies/spinnaker-dependencies.gradle @@ -163,7 +163,16 @@ dependencies { } } api("org.objenesis:objenesis:2.5.1") - api("org.pf4j:pf4j:3.2.0") + api("org.pf4j:pf4j:3.10.0") + // pf4j:3.10.0 brings in slf4j-api:2.0.6 which is not compatible with logback 1.2.x. + // And the upgraded logback version(1.3.8) is becoming incompatible with SpringBoot's LogbackLoggingSystem: + // java.lang.NoClassDefFoundError at LogbackLoggingSystem.java:293 + // Hence pinning slf4j-api at 1.7.36 which spring boot 2.5.15 brings in. + api("org.slf4j:slf4j-api"){ + version { + strictly("1.7.36") + } + } api("org.pf4j:pf4j-update:2.3.0") // snakeyaml 1.29 fails to parse yaml (including some k8s manifests), so