Menu

#606 Plans for Squirrel to move from EOL log4j 1.x to log4j 2.17+?

SQuirreL
closed
nobody
None
high
2024-05-20
2022-01-06
Steve Souza
No

We use and like Squirrel to access our databases (so thank you). However due to the recent log4j vulnerability in log4j 2.x there has been increased scrutiny on outdated versions of software and using software that is end-of-lifed. Squirrel uses log4j-1.2.17.jar which is end-of-lifed. Are there any plans to upgrade to log4j verson 2.17+? If so what is the time frame?

from apache log4j site: "On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life"

Related

Feature Requests: #606

Discussion

  • Gerd Wagner

    Gerd Wagner - 2022-01-06

    I have not decided on updating to Log4J2, yet. I already know it requires some more work than just updating the libraries. If someone would send me a patch I'd promise sympathetically consider it.
    I'm also thinking about getting rid of Log4j at all. I assume it wouldn't be to hard to implement the logging functionality SQuirreL needs myself. Of course a patch of that kind would be considered friendly as well.

    As to the vulnerabilities of Log4J that came known lately: I think SQuirreL already dealt with these responsibly. Please see the two recent change log entries starting with
    "On Log4j vulnerability CVE-2021-44228 (log4shell) concerning Log4j2 versions from 2.0-beta9 to 2.14.1 ..."
    and with
    "Fixed Log4j vulnerability CVE-2021-4104 concerning Log4j version 1. ..."
    here http://sourceforge.net/p/squirrel-sql/git/ci/master/tree/sql12/core/doc/changes.txt

    Also note that SQuirreL is a standalone application which does not offer to be connected to from outside. Essentially the only remote component that may cause SQuirreL to write logs is the databases you use SQuirreL to connect to.

     

  • Steve Souza

    Steve Souza - 2022-01-12

    Thanks. Appreciate the response.

    Probably the easiest path would be to move to log4j 2.17+, but another other option is...

    1) sl4j - which is a facade in front of logging frameworks. This allows the user to use different logging implementations including log4j, and java logging for example as sl4j just picks up what is available to use. https://www.baeldung.com/java-logging-intro.
    2) Logback is an implementation of sl4j and offers many benefits over log4j - https://logback.qos.ch/reasonsToSwitch.html

    I would not roll my own logging framework. Your users already know how to use sl4j and log4j and probably have other apps that use them and can find tons of help on them as well as examples.

    Here is some info on how to convert to the latest version of log4j from the deprecated version. Unfortunately if users have changed config files they would have to convert these files to log4j 2 format. Same issue for sl4j.

    https://logging.apache.org/log4j/2.x/manual/migration.html

     

    Last edit: Steve Souza 2022-01-14

  • Steve Souza

    Steve Souza - 2022-02-10

    Note another option is to just use the log4j2 to log4j1 bridge. It is a jar that comes with log4j2 that tricks your code into thinking it is using log4j1 even tough it is using log4j2. It is a simple jar drop in replacement. https://logging.apache.org/log4j/2.x/manual/migration.html. I have successfully used this approach in other software. If your usage of log4j is pretty simple this should work.

     

    Last edit: Steve Souza 2022-02-10

  • Steve Souza

    Steve Souza - 2022-02-11

    If you would like me to try to see what happens when I use the log4j2 bridge with squirrel let me know and I can try it

     

  • Gerd Wagner

    Gerd Wagner - 2022-02-12

    That would be very kind of you.
    Here are some pointers:
    The main classes should be
    net.sourceforge.squirrel_sql.client.SquirrelAppender
    net.sourceforge.squirrel_sql.client.SquirrelLoggerFactory
    net.sourceforge.squirrel_sql.client.SquirrelFileSizeRollingAppender
    net.sourceforge.squirrel_sql.fw.util.log.*

    I have the feeling it's over engineered. So simplification is welcome.

    An important point is that SQuirreL's UI is supposed to respond to logs. By now this is done by the listeners in Log4jLoggerFactory. The according UI component is
    net.sourceforge.squirrel_sql.client.gui.LogPanel
    which is displayed in SQuirreL's status bar.

    I remember some trouble getting the listeners notified of all logs. Two tricky points I remember are logs written at application startup and logs written to System.out/err.

     

  • Gerd Wagner

    Gerd Wagner - 2022-02-19

    There will be no upgrade to log4j 2.* Instead the dependency on Log4j was dropped.

    Excerpt from our change log:
    Dependency on Log4j (https://logging.apache.org/log4j) was removed.
    SQuirreL uses no Log4j libraries anymore.
    The former command line parameter -l / --log-config-file is obsolete and removed from SQuirreL's start scripts.
    The new optional command line parameter -level / --log-level
    allows to specify the minimum log level to write to <userdir>/logs/.
    Possible levels are ERROR, WARNING, INFO, DEBUG. The default level is INFO.</userdir>

    The first snapshot with Log4j dropped is available here:
    https://sourceforge.net/projects/squirrel-sql/files/3-snapshots/snapshot-20220219_0258/

     

  • sfst

    sfst - 2023-02-27

    I understand you kept this open, so other people can find the solution, but now after one year it can be closed?

     

    • Steve Souza

      Steve Souza - 2023-02-27

      Absolutely can be closed. Your solution of moving away from log4j in
      general is totally acceptable. I didn’t realize I had to close it. Is that
      something you want me to do? Or you can certainly feel free to close it.
      Thanks for your help.

      On Mon, Feb 27, 2023 at 6:29 AM sfst sfst@users.sourceforge.net wrote:

      I understand you kept this open, so other people can find the solution,
      but now after one year it can be closed?

      [feature-requests:#606] Plans for Squirrel to move from EOL log4j 1.x
      to log4j 2.17+?

      Status: open
      Group: SQuirreL
      Created: Thu Jan 06, 2022 03:36 AM UTC by Steve Souza
      Last Updated: Sat Feb 19, 2022 07:33 PM UTC
      Owner: nobody

      We use and like Squirrel to access our databases (so thank you). However
      due to the recent log4j vulnerability in log4j 2.x there has been
      increased scrutiny on outdated versions of software and using software that
      is end-of-lifed. Squirrel uses log4j-1.2.17.jar which is end-of-lifed. Are
      there any plans to upgrade to log4j verson 2.17+? If so what is the time
      frame?

      from apache log4j site: "On August 5, 2015 the Logging Services Project
      Management Committee announced that Log4j 1.x had reached end of life"

      Sent from sourceforge.net because you indicated interest in <
      https://sourceforge.net/p/squirrel-sql/feature-requests/606/>

      To unsubscribe from further messages, please visit <
      https://sourceforge.net/auth/subscriptions/>

       

      Related

      Feature Requests: #606

      alternate

  • sfst

    sfst - 2024-05-19

    Time is passing fast :-)
    Another year passed, so maybe it is no longer needed to be kept open? ;-)

     

  • Steve Souza

    Steve Souza - 2024-05-20

    I don't know how to close it, so probably for the squirrel admin to resolve though I opened it and it was resolved to my satisfaction.

     

  • Gerd Wagner

    Gerd Wagner - 2024-05-20
    • status: open --> closed
     

  • Gerd Wagner

    Gerd Wagner - 2024-05-20

    Closed on user request

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.