-
Notifications
You must be signed in to change notification settings - Fork 199
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move diagnostics package out of bootstrap module #3190
Conversation
fc5ae22
to
289c1df
Compare
// not using gson because it has dependency on java.sql.*, which is not available in Java 9+ bootstrap class loader | ||
// only complaint so far about moshi is that it doesn"t give line numbers when there are json formatting errors | ||
implementation("com.squareup.moshi:moshi") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this was what motivated moving this code out of the bootstrap module (in addition to it being a generally good thing to minimize amount of classes in the bootstrap module)
(although this comment is now very outdated, and we'll move to jackson)
289c1df
to
a33abc5
Compare
79cdc18
to
be679e7
Compare
@SuppressFBWarnings( | ||
value = "SECCRLFLOG", // CRLF injection into log messages | ||
justification = | ||
"Logging params cannot be controlled by an end user of the instrumented application") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no idea why this warning only started showing up with this change (https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS)
ec796b9
to
e34db74
Compare
// spring boot 2.x requires slf4j 1.x | ||
val slf4jVersion = "1.7.36" | ||
resolutionStrategy.force("org.slf4j:slf4j-api:${slf4jVersion}") | ||
resolutionStrategy.force("org.slf4j:log4j-over-slf4j:${slf4jVersion}") | ||
resolutionStrategy.force("org.slf4j:jcl-over-slf4j:${slf4jVersion}") | ||
resolutionStrategy.force("org.slf4j:jul-to-slf4j:${slf4jVersion}") | ||
resolutionStrategy.force("ch.qos.logback:logback-classic:1.2.12") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need to override dependencyManagement for slf4j version in smoke tests
// moving to 2.0 is problematic because the SPI mechanism in 2.0 doesn't work in the | ||
// bootstrap class loader because, while we add the agent jar to the bootstrap class loader | ||
// via Instrumentation.appendToBootstrapClassLoaderSearch(), there's nothing similar for | ||
// resources (which is a known problem in the java agent world), and so the META-INF/services | ||
// resource is not found | ||
val slf4jVersion = "1.7.36" | ||
val slf4jVersion = "2.0.7" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🥳
// unfortunately, this also excludes the same from our distro (which points to logback) | ||
// and so we have to hackily re-add it via agent/agent/src/main/resources | ||
exclude("inst/META-INF/services/io.opentelemetry.javaagent.slf4j.spi.SLF4JServiceProvider") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yuck 🙈
8407aa9
to
3e3abf3
Compare
Bonus: also upgrades to SLF4J 2.x
This will also allow follow-up PR to remove moshi dependency