[PF-2978] High severity security issue - Upgrade logback-core (#127)

DataBiosphere · Dec 4, 2023 · 0f8ed86 · 0f8ed86
1 parent 22f2ee6
commit 0f8ed86
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/build.gradle b/build.gradle
@@ -87,6 +87,8 @@ dependencies {
     implementation group: 'com.google.apis', name: 'google-api-services-logging', version: 'v2-rev20220714-1.32.1'
     implementation group: 'ch.qos.logback.contrib', name: 'logback-json-classic', version: '0.1.5'
     implementation group: 'ch.qos.logback.contrib', name: 'logback-jackson', version: '0.1.5'
+    implementation group: 'ch.qos.logback', name: 'logback-core', version: '1.4.14'
+    implementation group: 'ch.qos.logback', name: 'logback-classic', version: '1.4.14'
 
     // Flagsmith
     implementation group: 'com.flagsmith', name: 'flagsmith-java-client', version: '6.1.0'

diff --git a/gradle.lockfile b/gradle.lockfile
@@ -6,8 +6,8 @@ bio.terra:stairway:0.0.76-SNAPSHOT=compileClasspath,productionRuntimeClasspath,r
 ch.qos.logback.contrib:logback-jackson:0.1.5=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 ch.qos.logback.contrib:logback-json-classic:0.1.5=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 ch.qos.logback.contrib:logback-json-core:0.1.5=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-ch.qos.logback:logback-classic:1.4.8=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-ch.qos.logback:logback-core:1.4.8=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+ch.qos.logback:logback-classic:1.4.14=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+ch.qos.logback:logback-core:1.4.14=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.beust:jcommander:1.48=pmd
 com.fasterxml.jackson.core:jackson-annotations:2.15.2=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.fasterxml.jackson.core:jackson-core:2.15.2=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath

diff --git a/src/main/java/bio/terra/common/logging/LoggingUtils.java b/src/main/java/bio/terra/common/logging/LoggingUtils.java
@@ -14,7 +14,6 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.core.env.ConfigurableEnvironment;
-import org.springframework.util.ResourceUtils;
 
 /**
  * Logging utility methods intended for use by service / app developers. These are generally aimed
@@ -119,8 +118,7 @@ protected static void initializeLogging(ConfigurableApplicationContext applicati
         // seems to work. But if we encounter future issues in human-readable logging control, this
         // is a reasonable place to look more closely.
         logbackLogger.detachAndStopAllAppenders();
-        new ContextInitializer(logbackLogger.getLoggerContext())
-            .configureByResource(ResourceUtils.getURL("classpath:logback.xml"));
+        new ContextInitializer(logbackLogger.getLoggerContext()).autoConfig();
       } catch (Exception e) {
         throw new RuntimeException("Error loading human-readable logging", e);
       }