chore(dependencies): upgrade pf4j from 3.2.0 to 3.10.0 to resolve CVE…

…-2023-40828 (#1153) pf4j 3.10.0 brings in slf4j-api 2.0.6 which is not compatible with logback 1.2.x. Upgrading logback created incompatibility issues with Springboot's LogbackLoggingSystem. > Task :kork-tomcat:test com.netflix.spinnaker.kork.tomcat.CRLFHeaderTest > clientTest() FAILED java.lang.NoClassDefFoundError at LogbackLoggingSystem.java:293 Caused by: java.lang.ClassNotFoundException at BuiltinClassLoader.java:581 1 test completed, 1 failed Caused by: java.lang.ClassNotFoundException at BuiltinClassLoader.java:581 So, pin slf4j-api to 1.7.36 to retain compatibility with logback to 1.2.x. Removed a test(extensions index is written to META-INF) from TestPluginGeneratorTest.kt as the upgraded pf4j no longer create extensions.idx if no extensions exist.(refer pf4j/pf4j#508) Note: PluginWrapper is deprecated in 3.10.0 and will be removed in the next major release as per this - pf4j/pf4j#512. So next pf4j upgrade would break the functionality of existing plugins. Co-authored-by: Kiran Godishala <[email protected]> Co-authored-by: Jason <[email protected]> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
spinnaker · Feb 20, 2024 · 42d2de6 · 42d2de6
1 parent eba9e74
commit 42d2de6
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 12 deletions.
diff --git a/...plugins-tck/src/test/kotlin/com/spinnaker/netflix/kork/plugins/TestPluginGeneratorTest.kt b/...plugins-tck/src/test/kotlin/com/spinnaker/netflix/kork/plugins/TestPluginGeneratorTest.kt
@@ -38,16 +38,6 @@ class TestPluginGeneratorTest : JUnit5Minutests {
         expectThat(resolve("classes")).describedAs("classes directory").isDirectory()
       }
 
-      test("extensions index is written to META-INF") {
-        expectThat(resolve("classes/META-INF")).and {
-          isDirectory()
-          get { resolve("extensions.idx") }.and {
-            isRegularFile()
-            get { toFile().readText() }.isEqualTo("# Generated by PF4J\n")
-          }
-        }
-      }
-
       test("generated class is written to subdirectories matching package") {
         expectThat(resolve("classes/com/netflix/spinnaker/kork/plugins/testplugin/generated")).and {
           isDirectory()

diff --git a/...rc/main/kotlin/com/netflix/spinnaker/kork/plugins/repository/PluginRefPluginRepository.kt b/...rc/main/kotlin/com/netflix/spinnaker/kork/plugins/repository/PluginRefPluginRepository.kt
@@ -26,6 +26,6 @@ import org.pf4j.util.ExtensionFileFilter
 /**
  * A [PluginRepository] supporting [PluginRef] type [Plugin]s by matching files with the extension [PluginRef.EXTENSION].
  */
-class PluginRefPluginRepository(pluginPath: Path) : BasePluginRepository(pluginPath, ExtensionFileFilter(PluginRef.EXTENSION)) {
+class PluginRefPluginRepository(pluginPath: Path) : BasePluginRepository(listOf(pluginPath), ExtensionFileFilter(PluginRef.EXTENSION)) {
   override fun deletePluginPath(pluginPath: Path?): Boolean = false
 }
diff --git a/spinnaker-dependencies/spinnaker-dependencies.gradle b/spinnaker-dependencies/spinnaker-dependencies.gradle
@@ -159,7 +159,16 @@ dependencies {
        }
     }
     api("org.objenesis:objenesis:2.5.1")
-    api("org.pf4j:pf4j:3.2.0")
+    api("org.pf4j:pf4j:3.10.0")
+    // pf4j:3.10.0 brings in slf4j-api:2.0.6 which is not compatible with logback 1.2.x.
+    // And the upgraded logback version(1.3.8) is becoming incompatible with SpringBoot's LogbackLoggingSystem:
+    // java.lang.NoClassDefFoundError at LogbackLoggingSystem.java:293
+    // Hence pinning slf4j-api at 1.7.36 which spring boot 2.5.15 brings in.
+    api("org.slf4j:slf4j-api"){
+      version {
+        strictly("1.7.36")
+      }
+    }
     api("org.pf4j:pf4j-update:2.3.0")
 
     // snakeyaml 1.29 fails to parse yaml (including some k8s manifests), so