log4j12: uses version with CVEs only via invoker (#1413)

Signed-off-by: Adrian Cole <adrian@tetrate.io>

context/log4j12/pom.xml

@@ -29,18 +29,53 @@
     <!-- Matches Export-Package in bnd.bnd -->
     <module.name>brave.context.log4j12</module.name>
 
+    <log4j12.version>1.2.17</log4j12.version>
     <main.basedir>${project.basedir}/../..</main.basedir>
   </properties>
 
   <dependencies>
+    <!-- Use Log4J 2.x dep to avoid CVE warnings in main -->
     <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
-      <version>1.2.17</version>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-1.2-api</artifactId>
+      <version>${log4j.version}</version>
       <scope>provided</scope>
     </dependency>
   </dependencies>
 
+  <build>
+    <plugins>
+      <!-- Test log4j:log4j dep via invoker -->
+      <plugin>
+        <artifactId>maven-invoker-plugin</artifactId>
+      </plugin>
+      <plugin>
+        <groupId>de.qaware.maven</groupId>
+        <artifactId>go-offline-maven-plugin</artifactId>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>resolve-dependencies</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <!-- Add dependencies specific to invoker tests so that they cache on go-offline -->
+          <dynamicDependencies>
+            <DynamicDependency>
+              <groupId>log4j</groupId>
+              <artifactId>log4j</artifactId>
+              <version>${log4j12.version}</version>
+              <repositoryType>MAIN</repositoryType>
+              <type>jar</type>
+            </DynamicDependency>
+          </dynamicDependencies>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
   <profiles>
     <profile>
       <id>release</id>

context/log4j12/src/it/log4j12/README.md

@@ -0,0 +1,2 @@
+# log4j12
+This tests that MDCScopeDecorator does not rely on Log4J 2+ APIs.

context/log4j12/src/it/log4j12/pom.xml

@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright 2013-2024 The OpenZipkin Authors
+
+    Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+    in compliance with the License. You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software distributed under the License
+    is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+    or implied. See the License for the specific language governing permissions and limitations under
+    the License.
+
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>@project.groupId@</groupId>
+  <artifactId>log4j12</artifactId>
+  <version>@project.version@</version>
+  <name>log4j12</name>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <project.build.resourceEncoding>UTF-8</project.build.resourceEncoding>
+
+    <maven.compiler.source>1.8</maven.compiler.source>
+    <maven.compiler.target>1.8</maven.compiler.target>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>${project.groupId}</groupId>
+      <artifactId>brave-context-log4j12</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>log4j</groupId>
+      <artifactId>log4j</artifactId>
+      <version>@log4j12.version@</version>
+      <scope>provided</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>${project.groupId}</groupId>
+      <artifactId>brave-tests</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter</artifactId>
+      <version>@junit-jupiter.version@</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.assertj</groupId>
+      <artifactId>assertj-core</artifactId>
+      <version>@assertj.version@</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <testSourceDirectory>@project.build.testSourceDirectory@</testSourceDirectory>
+    <plugins>
+      <plugin>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>@maven-surefire-plugin.version@</version>
+        <configuration>
+          <!-- This helps with mistakes, e.g. testSourceDirectory is wrong -->
+          <failIfNoTests>true</failIfNoTests>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

context/log4j12/src/it/log4j12/src/test/resources/log4j.properties

@@ -0,0 +1,19 @@
+#
+# Copyright 2013-2024 The OpenZipkin Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+log4j.rootLogger=INFO, console
+log4j.appender.console=org.apache.log4j.ConsoleAppender
+log4j.appender.console.layout=org.apache.log4j.PatternLayout
+log4j.appender.console.layout.ConversionPattern=[%d{dd MMM yyyy HH:mm:ss,SSS}] [%X{traceId}/%X{spanId} - sampled=%X{sampled}] : %m%n
+

context/log4j12/src/main/java/brave/context/log4j12/MDCScopeDecorator.java

@@ -76,7 +76,8 @@ enum MDCContext implements CorrelationContext {
 
     @Override public boolean update(String name, @Nullable String value) {
       if (value != null) {
-        MDC.put(name, value);
+        // Cast to Object to ensure we don't use an overload added after Log4J 1.2!
+        MDC.put(name, (Object) value);
       } else {
         MDC.remove(name);
       }

context/log4j12/src/test/java/brave/context/log4j12/MDCScopeDecoratorTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2023 The OpenZipkin Authors
+ * Copyright 2013-2024 The OpenZipkin Authors
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License. You may obtain a copy of the License at
@@ -37,7 +37,8 @@ static void assumeMDCWorks() {
     String realJavaVersion = System.getProperty("java.version");
     try {
       System.setProperty("java.version", "1.8");
-      MDC.put("foo", "bar");
+      // Cast to Object to ensure we don't use an overload added after Log4J 1.2!
+      MDC.put("foo", (Object) "bar");
       assumeThat(MDC.get("foo"))
         .withFailMessage("Couldn't verify MDC in general")
         .isEqualTo("bar");

context/log4j12/src/test/resources/log4j2.properties

@@ -0,0 +1,8 @@
+appenders=console
+appender.console.type=Console
+appender.console.name=STDOUT
+appender.console.layout.type=PatternLayout
+appender.console.layout.pattern=%d{ABSOLUTE} %-5p [%t] %C{2} (%F:%L) [%X{traceId}/%X{spanId} - sampled=%X{sampled}] - %m%n
+rootLogger.level=info
+rootLogger.appenderRefs=stdout
+rootLogger.appenderRef.stdout.ref=STDOUT