fix: upgrade to JCS3 (#5114)

jeremylong · Oct 14, 2023 · dff060e · dff060e
1 parent a5b2b28
commit dff060e
Show file tree

Hide file tree

Showing 17 changed files with 121 additions and 47 deletions.
diff --git a/ant/pom.xml b/ant/pom.xml
@@ -252,6 +252,14 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
             <artifactId>dependency-check-utils</artifactId>
             <version>${project.parent.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-jcs3-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.github.jeremylong</groupId>
+            <artifactId>jcs3-slf4j</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.owasp</groupId>
             <artifactId>dependency-check-core</artifactId>

diff --git a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java
@@ -20,19 +20,17 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
+import java.lang.reflect.Field;
 
-import org.apache.commons.jcs.JCS;
-import org.apache.commons.jcs.access.CacheAccess;
-import org.apache.commons.jcs.engine.CompositeCacheAttributes;
-import org.apache.commons.jcs.engine.behavior.ICompositeCacheAttributes;
 import org.apache.tools.ant.BuildException;
 import org.apache.tools.ant.Project;
 import org.apache.tools.ant.Task;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.data.cache.DataCache;
 import org.owasp.dependencycheck.utils.Settings;
-import org.owasp.dependencycheck.xml.pom.Model;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.slf4j.impl.StaticLoggerBinder;
+import org.slf4j.spi.LocationAwareLogger;
 
 /**
  * An Ant task definition to execute dependency-check during an Ant build.
@@ -140,11 +138,13 @@ public void setHostedSuppressionsUrl(final String hostedSuppressionsUrl) {
      * the Thread Context Class Loader set to something that can resolve it's classes. Other build tools do this
      * by default but Ant does not.
      *
-     * @throws BuildException throws if there is a problem. See {@link #executeWithContextClassloader()} for details
+     * @throws BuildException throws if there is a problem. See
+     * {@link #executeWithContextClassloader()} for details
      */
     @Override
     public final void execute() throws BuildException {
-        ClassLoader current = Thread.currentThread().getContextClassLoader();
+        muteJCS();
+        final ClassLoader current = Thread.currentThread().getContextClassLoader();
         try {
             Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
 
@@ -154,6 +154,41 @@ public final void execute() throws BuildException {
         }
     }
 
+    /**
+     * Hacky method of muting the noisy logging from JCS. Implemented using a
+     * solution from SO: https://stackoverflow.com/a/50723801
+     */
+    private void muteJCS() {
+        if (System.getProperty("jcs.logSystem") == null) {
+            System.setProperty("jcs.logSystem", "slf4j");
+        }
+
+        final String[] noisyLoggers = {
+            "org.apache.commons.jcs3.auxiliary.disk.AbstractDiskCache",
+            "org.apache.commons.jcs3.engine.memory.AbstractMemoryCache",
+            "org.apache.commons.jcs3.engine.control.CompositeCache",
+            "org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache",
+            "org.apache.commons.jcs3.engine.control.CompositeCache",
+            "org.apache.commons.jcs3.engine.memory.AbstractMemoryCache",
+            "org.apache.commons.jcs3.engine.control.event.ElementEventQueue",
+            "org.apache.commons.jcs3.engine.memory.AbstractDoubleLinkedListMemoryCache",
+            "org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator",
+            "org.apache.commons.jcs3.engine.control.CompositeCacheManager",
+            "org.apache.commons.jcs3.utils.threadpool.ThreadPoolManager",
+            "org.apache.commons.jcs3.engine.control.CompositeCacheConfigurator"};
+        for (String loggerName : noisyLoggers) {
+            try {
+                final Logger l = LoggerFactory.getLogger(loggerName);
+                final Field f = l.getClass().getSuperclass().getDeclaredField("currentLogLevel");
+                f.setAccessible(true);
+                f.set(l, LocationAwareLogger.ERROR_INT);
+            } catch (IllegalAccessException | IllegalArgumentException | NoSuchFieldException | SecurityException e) {
+                LoggerFactory.getLogger(Purge.class)
+                        .debug("Failed to reset the log level of " + loggerName + ", it will continue being noisy.");
+            }
+        }
+    }
+
     /**
      * Executes the dependency-check purge to delete the existing local copy of
      * the NVD CVE data.

diff --git a/cli/src/main/java/org/owasp/dependencycheck/App.java b/cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -81,6 +81,9 @@ public class App {
      */
     @SuppressWarnings("squid:S4823")
     public static void main(String[] args) {
+        if (System.getProperty("jcs.logSystem") == null) {
+            System.setProperty("jcs.logSystem", "slf4j");
+        }
         final int exitCode;
         final App app = new App();
         exitCode = app.run(args);

diff --git a/cli/src/main/resources/logback.xml b/cli/src/main/resources/logback.xml
@@ -9,9 +9,9 @@
             <pattern>[%level] %msg%n</pattern>
         </encoder>
     </appender>
-    <logger name="org.apache.commons.jcs" level="ERROR"/>
+    <logger name="org.apache.commons.jcs3" level="ERROR">
 
     <root level="INFO">
         <appender-ref ref="console"/>
     </root>
-</configuration>
+</configuration>
diff --git a/core/pom.xml b/core/pom.xml
@@ -194,7 +194,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
-            <artifactId>commons-jcs-core</artifactId>
+            <artifactId>commons-jcs3-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.github.jeremylong</groupId>
+            <artifactId>jcs3-slf4j</artifactId>
         </dependency>
         <dependency>
             <groupId>com.github.package-url</groupId>

diff --git a/core/src/main/java/org/owasp/dependencycheck/Engine.java b/core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -19,7 +19,7 @@
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.commons.io.FileUtils;
-import org.apache.commons.jcs.JCS;
+import org.apache.commons.jcs3.JCS;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 import org.owasp.dependencycheck.analyzer.AnalysisPhase;

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
@@ -40,7 +40,7 @@
 import java.text.MessageFormat;
 import java.util.List;
 import javax.annotation.concurrent.ThreadSafe;
-import org.apache.commons.jcs.access.exception.CacheException;
+import org.apache.commons.jcs3.access.exception.CacheException;
 import org.owasp.dependencycheck.data.cache.DataCache;
 import org.owasp.dependencycheck.data.cache.DataCacheFactory;
 

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/cache/DataCache.java b/core/src/main/java/org/owasp/dependencycheck/data/cache/DataCache.java
@@ -17,7 +17,7 @@
  */
 package org.owasp.dependencycheck.data.cache;
 
-import org.apache.commons.jcs.access.CacheAccess;
+import org.apache.commons.jcs3.access.CacheAccess;
 
 /**
  * A generic wrapper for the Java Caching System (JCS).

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/cache/DataCacheFactory.java b/core/src/main/java/org/owasp/dependencycheck/data/cache/DataCacheFactory.java
@@ -22,11 +22,11 @@
 import java.io.InputStream;
 import java.util.List;
 import java.util.Properties;
-import org.apache.commons.jcs.JCS;
-import org.apache.commons.jcs.access.CacheAccess;
-import org.apache.commons.jcs.access.exception.CacheException;
-import org.apache.commons.jcs.engine.CompositeCacheAttributes;
-import org.apache.commons.jcs.engine.behavior.ICompositeCacheAttributes;
+import org.apache.commons.jcs3.JCS;
+import org.apache.commons.jcs3.access.CacheAccess;
+import org.apache.commons.jcs3.access.exception.CacheException;
+import org.apache.commons.jcs3.engine.CompositeCacheAttributes;
+import org.apache.commons.jcs3.engine.behavior.ICompositeCacheAttributes;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nodeaudit.Advisory;
 import org.owasp.dependencycheck.utils.FileUtils;

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
@@ -33,7 +33,7 @@
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
-import org.apache.commons.jcs.access.exception.CacheException;
+import org.apache.commons.jcs3.access.exception.CacheException;
 import org.owasp.dependencycheck.data.cache.DataCache;
 import org.owasp.dependencycheck.data.cache.DataCacheFactory;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/NodeAuditSearch.java b/core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/NodeAuditSearch.java
@@ -39,7 +39,7 @@
 import javax.json.Json;
 import javax.json.JsonObject;
 import javax.json.JsonReader;
-import org.apache.commons.jcs.access.exception.CacheException;
+import org.apache.commons.jcs3.access.exception.CacheException;
 
 import static org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.DEFAULT_URL;
 

diff --git a/core/src/main/resources/dependencycheck-cache.properties b/core/src/main/resources/dependencycheck-cache.properties
@@ -1,11 +1,11 @@
 # DEFAULT CACHE REGION
 jcs.default=ODC
-jcs.default.cacheattributes=org.apache.commons.jcs.engine.CompositeCacheAttributes
-jcs.default.cacheattributes.MemoryCacheName=org.apache.commons.jcs.engine.memory.lru.LRUMemoryCache
+jcs.default.cacheattributes=org.apache.commons.jcs3.engine.CompositeCacheAttributes
+jcs.default.cacheattributes.MemoryCacheName=org.apache.commons.jcs3.engine.memory.lru.LRUMemoryCache
 jcs.default.cacheattributes.UseMemoryShrinker=false
 jcs.default.cacheattributes.MaxMemoryIdleTimeSeconds=3600
 jcs.default.cacheattributes.ShrinkerIntervalSeconds=60
-jcs.default.elementattributes=org.apache.commons.jcs.engine.ElementAttributes
+jcs.default.elementattributes=org.apache.commons.jcs3.engine.ElementAttributes
 jcs.default.elementattributes.IsEternal=false
 # use zero max objects with an update pattern to force disk caching
 jcs.default.cacheattributes.MaxObjects=0
@@ -19,8 +19,8 @@ jcs.default.elementattributes.IsLateral=false
 
 #note - some region attributes are defined at load tiem in the DataCacheFactory.
 jcs.region.CENTRAL=ODC
-jcs.region.CENTRAL.cacheattributes=org.apache.commons.jcs.engine.CompositeCacheAttributes
-jcs.region.CENTRAL.elementattributes=org.apache.commons.jcs.engine.ElementAttributes
+jcs.region.CENTRAL.cacheattributes=org.apache.commons.jcs3.engine.CompositeCacheAttributes
+jcs.region.CENTRAL.elementattributes=org.apache.commons.jcs3.engine.ElementAttributes
 jcs.region.CENTRAL.cacheattributes.MaxObjects=0
 jcs.region.CENTRAL.cacheattributes.DiskUsagePattern=UPDATE
 #30 day cache life for Central
@@ -31,8 +31,8 @@ jcs.region.CENTRAL.elementattributes.IsLateral=false
 
 #note - some region attributes are defined at load tiem in the DataCacheFactory.
 jcs.region.POM=ODC
-jcs.region.POM.cacheattributes=org.apache.commons.jcs.engine.CompositeCacheAttributes
-jcs.region.POM.elementattributes=org.apache.commons.jcs.engine.ElementAttributes
+jcs.region.POM.cacheattributes=org.apache.commons.jcs3.engine.CompositeCacheAttributes
+jcs.region.POM.elementattributes=org.apache.commons.jcs3.engine.ElementAttributes
 jcs.region.POM.cacheattributes.MaxObjects=0
 jcs.region.POM.cacheattributes.DiskUsagePattern=UPDATE
 #90 day cache life for POM files from Central - this should likely be higher...
@@ -43,8 +43,8 @@ jcs.region.POM.elementattributes.IsLateral=false
 
 
 jcs.region.NODEAUDIT=ODC
-jcs.region.NODEAUDIT.cacheattributes=org.apache.commons.jcs.engine.CompositeCacheAttributes
-jcs.region.NODEAUDIT.elementattributes=org.apache.commons.jcs.engine.ElementAttributes
+jcs.region.NODEAUDIT.cacheattributes=org.apache.commons.jcs3.engine.CompositeCacheAttributes
+jcs.region.NODEAUDIT.elementattributes=org.apache.commons.jcs3.engine.ElementAttributes
 jcs.region.NODEAUDIT.cacheattributes.MaxObjects=0
 jcs.region.NODEAUDIT.cacheattributes.DiskUsagePattern=UPDATE
 #24 hour default cache life
@@ -54,8 +54,8 @@ jcs.region.NODEAUDIT.elementattributes.IsRemote=false
 jcs.region.NODEAUDIT.elementattributes.IsLateral=false
 
 # AVAILABLE AUXILIARY CACHES
-jcs.auxiliary.ODC=org.apache.commons.jcs.auxiliary.disk.indexed.IndexedDiskCacheFactory
-jcs.auxiliary.ODC.attributes=org.apache.commons.jcs.auxiliary.disk.indexed.IndexedDiskCacheAttributes
+jcs.auxiliary.ODC=org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCacheFactory
+jcs.auxiliary.ODC.attributes=org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCacheAttributes
 #jcs.auxiliary.ODC.attributes.DiskPath=$ {user.dir}/jcs_swap
 jcs.auxiliary.ODC.attributes.MaxPurgatorySize=10000000
 jcs.auxiliary.ODC.attributes.MaxKeySize=1000000

diff --git a/core/src/test/java/org/owasp/dependencycheck/BaseTest.java b/core/src/test/java/org/owasp/dependencycheck/BaseTest.java
@@ -41,6 +41,9 @@ public abstract class BaseTest {
      */
     @Before
     public void setUp() throws Exception {
+        if (System.getProperty("jcs.logSystem") == null) {
+            System.setProperty("jcs.logSystem", "slf4j");
+        }
         settings = new Settings();
     }
 

diff --git a/core/src/test/resources/logback-test.xml b/core/src/test/resources/logback-test.xml
@@ -31,4 +31,5 @@
     <logger name="org.owasp.dependencycheck.utils.FileUtils" additivity="false" level="OFF">
         <appender-ref ref="console"/>
     </logger>
-</configuration>
+    <logger name="org.apache.commons.jcs3" level="ERROR"/>
+</configuration>
diff --git a/maven/pom.xml b/maven/pom.xml
@@ -107,6 +107,14 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <artifactId>dependency-check-utils</artifactId>
             <version>${project.parent.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-jcs3-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.github.jeremylong</groupId>
+            <artifactId>jcs3-slf4j</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.apache.maven</groupId>
             <artifactId>maven-plugin-api</artifactId>

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -2457,19 +2457,23 @@ private String[] determineSuppressions() {
      * solution from SO: https://stackoverflow.com/a/50723801
      */
     private void muteJCS() {
+        if (System.getProperty("jcs.logSystem") == null) {
+            System.setProperty("jcs.logSystem", "slf4j");
+        }
+
         final String[] noisyLoggers = {
-            "org.apache.commons.jcs.auxiliary.disk.AbstractDiskCache",
-            "org.apache.commons.jcs.engine.memory.AbstractMemoryCache",
-            "org.apache.commons.jcs.engine.control.CompositeCache",
-            "org.apache.commons.jcs.auxiliary.disk.indexed.IndexedDiskCache",
-            "org.apache.commons.jcs.engine.control.CompositeCache",
-            "org.apache.commons.jcs.engine.memory.AbstractMemoryCache",
-            "org.apache.commons.jcs.engine.control.event.ElementEventQueue",
-            "org.apache.commons.jcs.engine.memory.AbstractDoubleLinkedListMemoryCache",
-            "org.apache.commons.jcs.auxiliary.AuxiliaryCacheConfigurator",
-            "org.apache.commons.jcs.engine.control.CompositeCacheManager",
-            "org.apache.commons.jcs.utils.threadpool.ThreadPoolManager",
-            "org.apache.commons.jcs.engine.control.CompositeCacheConfigurator"};
+            "org.apache.commons.jcs3.auxiliary.disk.AbstractDiskCache",
+            "org.apache.commons.jcs3.engine.memory.AbstractMemoryCache",
+            "org.apache.commons.jcs3.engine.control.CompositeCache",
+            "org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache",
+            "org.apache.commons.jcs3.engine.control.CompositeCache",
+            "org.apache.commons.jcs3.engine.memory.AbstractMemoryCache",
+            "org.apache.commons.jcs3.engine.control.event.ElementEventQueue",
+            "org.apache.commons.jcs3.engine.memory.AbstractDoubleLinkedListMemoryCache",
+            "org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator",
+            "org.apache.commons.jcs3.engine.control.CompositeCacheManager",
+            "org.apache.commons.jcs3.utils.threadpool.ThreadPoolManager",
+            "org.apache.commons.jcs3.engine.control.CompositeCacheConfigurator"};
         for (String loggerName : noisyLoggers) {
             try {
                 //This is actually a MavenSimpleLogger, but due to various classloader issues, can't work with the directly.

diff --git a/pom.xml b/pom.xml
@@ -146,7 +146,10 @@ Copyright (c) 2012 - Jeremy Long
         <commons-io.version>2.14.0</commons-io.version>
         <commons-lang3.version>3.13.0</commons-lang3.version>
         <commons-text.version>1.10.0</commons-text.version>
-        <commons-jcs-core.version>2.2.1</commons-jcs-core.version>
+        <!-- note that logging will be noisy and broken until we upgrade to 3.2
+            See https://issues.apache.org/jira/browse/JCS-232 and
+            https://github.com/apache/commons-jcs/pull/120 -->
+        <commons-jcs-core.version>3.2</commons-jcs-core.version>
         <aho-corasick-double-array-trie.version>1.2.3</aho-corasick-double-array-trie.version>
         <junit.version>4.13.2</junit.version>
         <hamcrest.version>2.2</hamcrest.version>
@@ -1031,9 +1034,14 @@ Copyright (c) 2012 - Jeremy Long
             </dependency>
             <dependency>
                 <groupId>org.apache.commons</groupId>
-                <artifactId>commons-jcs-core</artifactId>
+                <artifactId>commons-jcs3-core</artifactId>
                 <version>${commons-jcs-core.version}</version>
             </dependency>
+            <dependency>
+                <groupId>io.github.jeremylong</groupId>
+                <artifactId>jcs3-slf4j</artifactId>
+                <version>1.0.0</version>
+            </dependency>
             <dependency>
                 <groupId>commons-validator</groupId>
                 <artifactId>commons-validator</artifactId>