Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SLF4J 2.0.0 requires logback 1.3.0 #4846

Closed
mcondellva opened this issue Sep 14, 2022 · 7 comments
Closed

SLF4J 2.0.0 requires logback 1.3.0 #4846

mcondellva opened this issue Sep 14, 2022 · 7 comments
Labels
Milestone

Comments

@mcondellva
Copy link

Describe the bug
SLF4J 2.0.0 requires logback 1.3.0+

Running 7.2.0 version of ODC gives the following warnings:

WARNING: SLF4J: No SLF4J providers were found.
WARNING: SLF4J: Defaulting to no-operation (NOP) logger implementation
WARNING: SLF4J: See http://www.slf4j.org/codes.html#noProviders for further details.
WARNING: SLF4J: Class path contains SLF4J bindings targeting slf4j-api versions prior to 1.8.
WARNING: SLF4J: Ignoring binding found at [jar:file:/D:/Program%20Files/dependency-check/lib/logback-classic-1.2.11.jar!/org/slf4j/impl/StaticLoggerBinder.class]
WARNING: SLF4J: See http://www.slf4j.org/codes.html#ignoredBindings for an explanation.

And then fails to provide normal logged data besides the warnings above.

Version of dependency-check used
The problem occurs using version 7.2.0 of the cli

Log file
Warning output provided above.

To Reproduce
dependency-check.bat" --format JSON --prettyPrint --enableExperimental --out C:****\dc-output-20220914093309.json" --yarn "D:\Program Files\Yarn\bin\yarn.cmd" --scan ****

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
I downloaded logback-core-1.3.0.jar and logback-classic-1.3.0.jar and replaced the 1.2.11 versions with the updated versions and logging worked as it did in previous versions of ODC.

@mcondellva mcondellva added the bug label Sep 14, 2022
@mprins
Copy link
Contributor

mprins commented Sep 14, 2022

see #4786

@aikebah
Copy link
Collaborator

aikebah commented Sep 14, 2022

With your new setup I expect you would run into an error when you would try to create a debug logfile (when you use the -l / --log argument) just like the build of #4786

@mcondellva
Copy link
Author

Quite possibly, I haven't tried it, but could test it if another data point is useful.
However, we have internal team tools that depend on the output to stdout/stderr that was no longer being produced with the older version of logback. Upgrading fixed that output for us.

I had missed the other issue and just wanted to make sure it was on the radar. It is easy enough for us to work around.

@aikebah
Copy link
Collaborator

aikebah commented Sep 14, 2022

@jeremylong what do you think? Maybe best to revert the slf4j update to 2.0.0 and release 7.2.1? I have not verified, but as there are direct references in its codebase to slf4j 1.x StaticLoggerBinder I suspect that the ant task will also suffer from logging issues due to the slf4j version bump.

@maxbeltr
Copy link

We have the same problem here...@mcondellva can you please post the steps of your workaround? Thanks!

@aikebah
Copy link
Collaborator

aikebah commented Sep 16, 2022

@maxbeltr
That would be

  1. download the latest 1.3.x of logback-core (1.3.1 by now)
    https://repo1.maven.org/maven2/ch/qos/logback/logback-core/1.3.1/logback-core-1.3.1.jar
    and logback-classic
    https://repo1.maven.org/maven2/ch/qos/logback/logback-classic/1.3.1/logback-classic-1.3.1.jar

  2. copy both jars to the lib folder of your extracted dependency-check CLI

  3. Remove logback-classic-1.2.11.jar and logback-core-1.2.11.jar from the lib folder of your extracted dependency-check CLI

@maxbeltr
Copy link

Thanks a lot!

@jeremylong jeremylong added this to the 7.2.1 milestone Sep 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants