Skip to content

[Bug] Remove dependency on rocketmq-slf4j-api #9127

New issue
New issue
Open
#9163
Open
[Bug] Remove dependency on rocketmq-slf4j-api#9127
#9163
@ppkarwasz

Description

@ppkarwasz
ppkarwasz
opened on Jan 13, 2025

Before Creating the Bug Report

  • I found a bug, not just asking a question, which should be created in GitHub Discussions.

  • I have searched the GitHub Issues and GitHub Discussions of this repository and believe that this is not a duplicate.

  • I have confirmed that this bug belongs to the current repository, not other repositories of RocketMQ.

Runtime platform environment

All

RocketMQ version

branch: develop

JDK Version

No response

Describe the Bug

Many RocketMQ artifacts depend on repackaged versions of SLF4J and Logback:

This is IMHO a very bad idea, since:

  • It introduces yet another logging API that users need to forward to their logging implementation.
  • Naïve implementations of bridges between logging APIs have a tendency to lose location information (class, method and line number). io.github.aliyunmq:rocketmq-slf4j-api-bridge is not an exception and loses location information.
  • Using those dependencies introduces an additional entity to the RocketMQ supply chain: the aliyun.mq project. I am aware of the fact the aliyun.mq is mostly composed by members of the RocketMQ PMC, but it is still an independent project and is not covered by the ASF rules and Apache Security Team. This will cause a problem with CRA and similar regulations.
  • The rocketmq-logback-classic artifact is basically subject to the same vulnerabilities as logback-classic, but I don't see any CVE being issued against that artifact (Logback published 7 CVEs in 2023 and 2024).

Steps to Reproduce

You can see the problem by searching the pom.xml files for the artifacts mentioned above.

What Did You Expect to See?

I would expect:

  • All the RocketMQ artifacts to depend on org.slf4j:slf4j-api or another established logging API. (Note that the openrewrite/rewrite-logging-frameworks project contains rules to rewrite SLF4J to any other logging API, so the choice of logging API is not really binding).
  • Additionally the rocketmq-distribution artifact should have a runtime dependency on ch.qos.logback:logback-classic.
  • No other RocketMQ artifact should have a runtime dependency on Logback (see rocketmq-tools should not depend on logback-classic #5347). If Logback is used by the tests, it should be in the test scope.

What Did You See Instead?

All RocketMQ artifacts depend on the custom io.github.aliyunmq:rocketmq-slf4j-api logging API. Some of them depend on io.github.aliyunmq:rocketmq-logback-classic or io.github.aliyunmq:rocketmq-slf4j-api-bridge.

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions