[GitHub] [logging-log4j2] vy commented on pull request #1192: fix(sec): upgrade org.slf4j:slf4j-ext to 1.7.26

[GitBox <gi...@apache.org>]

vy commented on PR #1192:
URL: https://github.com/apache/logging-log4j2/pull/1192#issuecomment-1373571950

   @ppkarwasz, it should be possible, but I guess, it is not. :confounded: I have already wasted hours on this, hence I will not go into trouble of explaining it, though I will share my attempts:
   
   ## Using `build-helper-maven-plugin` to set `slf4jExtVersion` property
   
   ```xml
   <plugin>
     <groupId>org.codehaus.mojo</groupId>
     <artifactId>build-helper-maven-plugin</artifactId>
     <version>3.3.0</version>
     <executions>
       <execution>
         <id>replace-slf4j-version-property</id>
         <phase>prepare-package</phase>
         <goals>
           <goal>bsh-property</goal>
         </goals>
         <configuration>
           <properties>
             <property>slf4jExtVersion</property>
           </properties>
           <source>
             slf4jExtVersion = "1.7.36";
           </source>
         </configuration>
       </execution>
     </executions>
   </plugin>
   <plugin>
     <groupId>org.codehaus.mojo</groupId>
     <artifactId>flatten-maven-plugin</artifactId>
     <version>1.3.0</version>
     <inherited>false</inherited>
     <executions>
       <execution>
         <id>flatten-bom</id>
         <phase>prepare-package</phase>
         <goals>
           <goal>flatten</goal>
         </goals>
         <configuration>
           <flattenMode>clean</flattenMode>
           <!-- POM `ElementHandling` is pretty cryptic: https://www.mojohaus.org/flatten-maven-plugin/apidocs/org/codehaus/mojo/flatten/ElementHandling.html
                Trial-and-error has shown that we should use either `remove` or `interpolate`.
                `remove` simply removes the element.
                `interpolate` takes the element from the original POM with variables interpolated.
                Avoid using `resolve`, which uses the effective POM where inherited changes from the parent are also incorporated. -->
           <pomElements>
             <build>remove</build>
             <properties>remove</properties>
             <repositories>remove</repositories>
             <distributionManagement>remove</distributionManagement>
             <dependencyManagement>interpolate</dependencyManagement>
           </pomElements>
           <!-- Setting `outputDirectory` to `project.build.directory`, which is cleaned by `default-clean` execution of `clean:clean`.
                This makes `flatten:clean` redundant. -->
           <outputDirectory>${project.build.directory}</outputDirectory>
         </configuration>
       </execution>
     </executions>
   </plugin>
   ```
   
   This doesn't work. `flatten-maven-plugin` doesn't use the version set by the `build-helper-maven-plugin`. I suppose it simply reads the `pom.xml` ignoring the current Maven context.
   
   ## Using `versions-maven-plugin` to set `slf4jExtVersion` property
   
   ```xml
   <plugin>
     <groupId>org.codehaus.mojo</groupId>
     <artifactId>versions-maven-plugin</artifactId>
     <version>2.14.2</version>
     <executions>
       <execution>
         <id>replace-slf4j-version-property</id>
         <phase>prepare-package</phase>
         <goals>
           <goal>set-property</goal>
         </goals>
         <configuration>
           <property>slf4jExtVersion</property>
           <newVersion>1.7.36</newVersion>
         </configuration>
       </execution>
       <execution>
         <id>revert-slf4j-version-property</id>
         <phase>package</phase>
         <goals>
           <goal>set-property</goal>
         </goals>
         <configuration>
           <property>slf4jExtVersion</property>
           <newVersion>1.7.25</newVersion>
         </configuration>
       </execution>
     </executions>
   </plugin>
   <plugin>
     <groupId>org.codehaus.mojo</groupId>
     <artifactId>flatten-maven-plugin</artifactId>
     <!-- same as previous usage -->
   </plugin>
   ```
   
   **This works!** But... `replace-slf4j-version-property` updates the original `pom.xml`, though `revert-slf4j-version-property` doesn't revert it back. Hence when `./mvnw package` finishes, it leaves the repository in an unclean state: `pom.xml` contains `<slf4jExtVersion>1.7.36</slf4jExtVersion>` change, whereas it should have been left `<slf4jExtVersion>1.7.25</slf4jExtVersion>`.
   
   ## Conclusion
   
   `versions-maven-plugin` method can be used. But ideally `flatten-maven-plugin` should be updated to accept a list of properties to take into account while interpolating property substitutions. All of this is very ugly, including the original problem itself.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org