Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removing deprecated logback.groovy logics and docs from Grails 7 #13927

Open
gsartori opened this issue Dec 18, 2024 · 8 comments
Open

Removing deprecated logback.groovy logics and docs from Grails 7 #13927

gsartori opened this issue Dec 18, 2024 · 8 comments

Comments

@gsartori
Copy link
Contributor

Feature description

I'm proposing we remove the deprecated logback.groovy feature.

It's been deprecated for three years now (since 2021-12-16) because of security issues and given the impact of the Grails 7 release I believe is a good timing to do some cleanups.

See: https://stackoverflow.com/questions/74445304/is-there-a-reason-why-logback-groovy-is-discarded-in-1-2-9

If that's ok I can work on it
@lbwexler
Copy link

lbwexler commented Dec 18, 2024
edited
Loading

Dynamic groovy configuration of logging via groovy is an extremely useful feature to us. I really hope it can continue to be easy to enable in grails 7, via, say https://virtualdogbert.github.io/logback-groovy-config/

At the very least, would be worth getting the take of VirtualDogbert(Tucker) on this, given how much time he has put in on this plugin, including how to use it in grails

@jamesfredley
Copy link
Contributor

@gsartori this is somewhat related to grails/grails-doc#907. I lean towards updating the documentation to reflect the options in grails-doc and if needed here in grails-core. grails/grails-doc#907 is default for Grails 7 and the "Logback Logging with Groovy config" is an optional feature powered by https://virtualdogbert.github.io/logback-groovy-config/

@gsartori
Copy link
Contributor Author

gsartori commented Dec 18, 2024
edited
Loading

What about the security implications of using logback.groovy ? That is my main concern

@jdaugherty
Copy link
Contributor

I don't agree with the supposed security reasons that the logback project gave. They amounted to: groovy is dynamic, and you can do dynamic things with it, thus it could be used wrongly. With this reasoning, application.groovy is just as vulnerable. They are right it can be used wrongly, but it's up to you to secure your logback file. I think the real reason they pushed this narrative is they didn't want to suffer the negative press that log4j experienced due to someone configuring it wrong.

The added protections that the logback-groovy-config project gives should make it much harder to accidentally create a vulnerability too. We should continue to tell people how to configure it, but we shouldn't try to disable it or hide it. The default is to create a logback.xml and if you want to use only xml, you have that choice.

@gsartori
Copy link
Contributor Author

Okay, I guess we can close this issue than. I think this discussion was useful nontheless at lest to keep track of the decision

@gsartori gsartori closed this as not planned Won't fix, can't repro, duplicate, stale Dec 18, 2024
@gsartori
Copy link
Contributor Author

gsartori commented Dec 19, 2024
edited
Loading

I was trying the following on a Grails 7 app:
https://docs.grails.org/6.2.2/guide/single.html#externalLoggingConfiguration

It doesn't work, it looks like the https://virtualdogbert.github.io/logback-groovy-config/ plugin is not compatible with Grails 7 because of the Groovy version it uses.

A problem occurred configuring root project 'grails-7-app'.
> Could not resolve all files for configuration ':runtimeClasspath'.
   > Could not resolve org.apache.groovy:groovy-xml:4.0.24.
     Required by:
         root project : > org.grails:grails-core:7.0.0-SNAPSHOT > org.grails:grails-bom:7.0.0-SNAPSHOT
         root project : > org.grails:grails-core:7.0.0-SNAPSHOT > org.apache.groovy:groovy:4.0.24 > org.apache.groovy:groovy-bom:4.0.24
         root project : > org.grails:grails-web-boot:7.0.0-SNAPSHOT > org.grails:grails-web-common:7.0.0-SNAPSHOT > org.apache.groovy:groovy-templates:4.0.24
      > Module 'org.apache.groovy:groovy-xml' has been rejected:
           Cannot select module with conflict on capability 'org.codehaus.groovy:groovy-xml:4.0.24' also provided by [org.codehaus.groovy:groovy-xml:3.0.13(runtime)]
   > Could not resolve org.apache.groovy:groovy-sql:4.0.24.
     Required by:
         root project : > org.grails:grails-core:7.0.0-SNAPSHOT > org.grails:grails-bom:7.0.0-SNAPSHOT
         root project : > org.grails:grails-core:7.0.0-SNAPSHOT > org.apache.groovy:groovy:4.0.24 > org.apache.groovy:groovy-bom:4.0.24
      > Module 'org.apache.groovy:groovy-sql' has been rejected:
           Cannot select module with conflict on capability 'org.codehaus.groovy:groovy-sql:4.0.24' also provided by [org.codehaus.groovy:groovy-sql:3.0.13(runtime)]
   > Could not resolve org.apache.groovy:groovy-templates:4.0.24.
     Required by:
         root project : > org.grails:grails-core:7.0.0-SNAPSHOT > org.grails:grails-bom:7.0.0-SNAPSHOT
         root project : > org.grails:grails-core:7.0.0-SNAPSHOT > org.apache.groovy:groovy:4.0.24 > org.apache.groovy:groovy-bom:4.0.24
         root project : > org.grails:grails-core:7.0.0-SNAPSHOT > org.grails:grails-bom:7.0.0-SNAPSHOT > org.grails:grails-gsp:7.0.0-SNAPSHOT:20241214.182320-78
      > Module 'org.apache.groovy:groovy-templates' has been rejected:
           Cannot select module with conflict on capability 'org.codehaus.groovy:groovy-templates:4.0.24' also provided by [org.codehaus.groovy:groovy-templates:3.0.13(runtime)]
   > Could not resolve org.apache.groovy:groovy-json:4.0.24.
     Required by:
         root project : > org.grails:grails-core:7.0.0-SNAPSHOT > org.grails:grails-bom:7.0.0-SNAPSHOT
         root project : > org.grails:grails-core:7.0.0-SNAPSHOT > org.apache.groovy:groovy:4.0.24 > org.apache.groovy:groovy-bom:4.0.24
      > Module 'org.apache.groovy:groovy-json' has been rejected:
           Cannot select module with conflict on capability 'org.codehaus.groovy:groovy-json:4.0.24' also provided by [org.codehaus.groovy:groovy-json:3.0.13(runtime)]
   > Could not resolve org.codehaus.groovy:groovy-json:3.0.13.
     Required by:
         root project : > io.github.virtualdogbert:logback-groovy-config:1.14.5 > org.codehaus.groovy:groovy-all:3.0.13
      > Module 'org.codehaus.groovy:groovy-json' has been rejected:
           Cannot select module with conflict on capability 'org.codehaus.groovy:groovy-json:3.0.13' also provided by [org.apache.groovy:groovy-json:4.0.24(groovyRuntimeElements)]
   > Could not resolve org.codehaus.groovy:groovy-sql:3.0.13.
     Required by:
         root project : > io.github.virtualdogbert:logback-groovy-config:1.14.5 > org.codehaus.groovy:groovy-all:3.0.13
      > Module 'org.codehaus.groovy:groovy-sql' has been rejected:
           Cannot select module with conflict on capability 'org.codehaus.groovy:groovy-sql:3.0.13' also provided by [org.apache.groovy:groovy-sql:4.0.24(groovyRuntimeElements)]
   > Could not resolve org.codehaus.groovy:groovy-templates:3.0.13.
     Required by:
         root project : > io.github.virtualdogbert:logback-groovy-config:1.14.5 > org.codehaus.groovy:groovy-all:3.0.13
         root project : > io.github.virtualdogbert:logback-groovy-config:1.14.5 > org.codehaus.groovy:groovy-all:3.0.13 > org.codehaus.groovy:groovy-console:3.0.13
         root project : > io.github.virtualdogbert:logback-groovy-config:1.14.5 > org.codehaus.groovy:groovy-all:3.0.13 > org.codehaus.groovy:groovy-docgenerator:3.0.13
         root project : > io.github.virtualdogbert:logback-groovy-config:1.14.5 > org.codehaus.groovy:groovy-all:3.0.13 > org.codehaus.groovy:groovy-groovydoc:3.0.13
         root project : > io.github.virtualdogbert:logback-groovy-config:1.14.5 > org.codehaus.groovy:groovy-all:3.0.13 > org.codehaus.groovy:groovy-groovysh:3.0.13
         root project : > io.github.virtualdogbert:logback-groovy-config:1.14.5 > org.codehaus.groovy:groovy-all:3.0.13 > org.codehaus.groovy:groovy-servlet:3.0.13
      > Module 'org.codehaus.groovy:groovy-templates' has been rejected:
           Cannot select module with conflict on capability 'org.codehaus.groovy:groovy-templates:3.0.13' also provided by [org.apache.groovy:groovy-templates:4.0.24(groovyRuntimeElements)]
   > Could not resolve org.codehaus.groovy:groovy-xml:3.0.13.
     Required by:
         root project : > io.github.virtualdogbert:logback-groovy-config:1.14.5 > org.codehaus.groovy:groovy-all:3.0.13
         root project : > io.github.virtualdogbert:logback-groovy-config:1.14.5 > org.codehaus.groovy:groovy-all:3.0.13 > org.codehaus.groovy:groovy-groovysh:3.0.13
         root project : > io.github.virtualdogbert:logback-groovy-config:1.14.5 > org.codehaus.groovy:groovy-all:3.0.13 > org.codehaus.groovy:groovy-servlet:3.0.13
         root project : > io.github.virtualdogbert:logback-groovy-config:1.14.5 > org.codehaus.groovy:groovy-all:3.0.13 > org.codehaus.groovy:groovy-templates:3.0.13
      > Module 'org.codehaus.groovy:groovy-xml' has been rejected:
           Cannot select module with conflict on capability 'org.codehaus.groovy:groovy-xml:3.0.13' also provided by [org.apache.groovy:groovy-xml:4.0.24(groovyRuntimeElements)]
> There are 5 more failures with identical causes.

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.
BUILD FAILED in 4s

I don't know, I keep thinking that "less is more".

I am not so convinced that keeping the logback.groovy option is wise when the logback project itself is not supporting it anymore. And the grails plugin to support logback.groovy is a third party dependency that we have to keep updated since it's in the official documentation (!!).

I think we should either:

  • move the plugin into grails-core and keep the documentation as it is
  • remove the logback.groovy option altogether and update the documentation

Staying in the middle is the best way to be inconsistent. And inconsistent projects are not those projects people want to choose or invest in.

@gsartori gsartori reopened this Dec 19, 2024
@jamesfredley
Copy link
Contributor

The framework does not support logback.groovy beginning with Grails 5.1.2 when logback removed support in 1.2.9: https://docs.grails.org/6.2.2/guide/single.html#logging. I personally found this sub optimal and was able to support my use cases with logback-spring.xml which is the default in Grails 7: grails/grails-forge#362

Documentation does need to be updated in a few locations to remove references to logback.groovy and potential add a few more links to https://virtualdogbert.github.io/logback-groovy-config/

That non-default, optional plugin adds Groovy support to logback, so only users that want/need it can have it. But it's not there unless they add the plugin.

The Groovy compatibility stuff can be handled in a number of ways, the Plugin is updated to Groovy 4, exclude the Groovy dependencies from the plugin when declared in dependencies {} or use Gradle dependency substitution to change the version from 3 to 4.

@jamesfredley jamesfredley mentioned this issue Dec 19, 2024
Open
@gsartori gsartori mentioned this issue Dec 20, 2024
Open
@gsartori
Copy link
Contributor Author

I've updated the documentation: grails/grails-doc#936

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lbwexler @jdaugherty @jamesfredley @gsartori