Upgrade Log4j and Harden Annotation Processing #207
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR makes the following changes: * Upgrades Log4j to version `2.25.0`. * Hardens annotation processing in response to the [JDK 23 change in default annotation processing policy](https://inside.java/2024/06/18/quality-heads-up/), which deprecates implicit annotation processor discovery. This change has been backported to earlier JDKs as well. ### Key Improvements: * Annotation processing is now disabled by default (`<proc>none</proc>`) to ensure only explicitly declared processors are run — a best practice that improves build predictability and mitigates supply chain risks ([background](https://javapro.io/2024/11/19/discovering-the-perfect-java-supply-chain-attack-vector-and-how-it-got-fixed/)). * The `pdfbox-debugger` module is now explicitly compiled using: * `PluginProcessor` to generate the `Log4j2Plugins.dat` descriptor. * The new `GraalVmProcessor` to generate GraalVM reachability metadata. * Both processors are declared explicitly along with the required compiler arguments: ```text -Alog4j.graalvm.groupId=${project.groupId} -Alog4j.graalvm.artifactId=${project.artifactId} ``` This avoids build failures introduced by `GraalVmProcessor` when those parameters are missing. ### Why This Matters: Log4j 2.25.0 introduces stricter behavior for `GraalVmProcessor`, which fails with an error if required options aren't set. Combined with changes to how annotation processors are discovered in JDK 23+, these updates ensure that: * Build behavior is explicit and secure. * The `DebugLogAppender` remains compatible with ahead-of-time compilation tools like GraalVM. * The project is future-proofed against evolving Java defaults and security posture.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR makes the following changes:
2.25.0.Key Improvements:
Annotation processing is now disabled by default (
<proc>none</proc>) to ensure only explicitly declared processors are run — a best practice that improves build predictability and mitigates supply chain risks (background).The
pdfbox-debuggermodule is now explicitly compiled using:PluginProcessorto generate theLog4j2Plugins.datdescriptor.GraalVmProcessorto generate GraalVM reachability metadata.Both processors are declared explicitly along with the required compiler arguments:
This avoids build failures introduced by
GraalVmProcessorwhen those parameters are missing.Why This Matters:
Log4j 2.25.0 introduces stricter behavior for
GraalVmProcessor, which fails with an error if required options aren't set. Combined with changes to how annotation processors are discovered in JDK 23+, these updates ensure that:DebugLogAppenderremains compatible with ahead-of-time compilation tools like GraalVM.