Clear test-fixture CVE Dependabot alerts: drop log4j 1.x + modernize Go fixtures#13915
Merged
Conversation
log4j:log4j 1.2.17 is end-of-life; one of its Dependabot alerts has NO patched version. The e2e provider already exercises log-to-OAP through log4j2 (apm-toolkit-log4j-2.x, GRPCLogClientAppender in log4j2.xml) and logback in parallel, so dropping the log4j 1.x path keeps log-reporting coverage. - pom: remove log4j:log4j + apm-toolkit-log4j-1.x deps and the log4j.version property - LogController/FileLogController: remove the log4j 1.x logger; the log4j2 logger now imports org.apache.logging.log4j.Logger and uses the short name - delete log4j.properties (log4j 1.x only) - kafka/log filebeat+fluentd expected files: drop the log4j-1.x fileLogger items (collector path globs /tmp/skywalking-logs/*/, so no collector-config change)
…/protobuf)
The go/service and profiling/ebpf/network fixtures pinned vulnerable
grpc/golang.org-x/protobuf versions whose patched releases require Go >= 1.23.
go/service (skywalking-go agent fixture):
- go.mod: go 1.24; x/crypto 0.46, x/net 0.48, grpc 1.79.3, protobuf 1.36.10
- Dockerfile base image -go1.19 -> -go1.24
- script/env: SW_AGENT_GO_COMMIT -> 19a9fa9 (the skywalking-go commit that ships
the go1.24 images; the older go1.19 images were dropped). All 5 shared go cases
(go/service, profiling/trace/go, pprof/{mysql,es,banyandb}) build from this one
Dockerfile, so they all move to go1.24.
profiling/ebpf/network: migrate the service off the legacy go2sky SDK to the
skywalking-go toolchain agent (auto-instruments net/http server+client):
- service.go: drop go2sky manual tracer/exit-span; blank-import skywalking-go
- go.mod: skywalking-go deps (go2sky removed); grpc 1.79.3, protobuf 1.36.10, x/net 0.48
- Dockerfile.service: golang:1.17 -> skywalking-go -go1.24 -toolexec build
- service.yaml: OAP_BACKEND_ADDR -> SW_AGENT_NAME + SW_AGENT_REPORTER_GRPC_BACKEND_SERVICE
- expected/skywalking-trace.yml: app exit span is now auto-instrumented
(GET:/provider, GoHttpClient, layer Http, peer proxy, http tags, spanid 1/parent 0),
derived from the skywalking-go net/http plugin. The eBPF sampled-record name
(skywalking-<path>) is network-derived and unchanged, so the verify query and the
4xx/5xx expectations are untouched. Validated locally for compile + toolexec
instrumentation; the eBPF trace assertion is validated by the kind/rover CI.
wu-sheng
added
the
test
The migrated Dockerfile placed the binary at /service, but expected/process.yml asserts the process command_line is /service/service (the original path). Restore it so the eBPF process-discovery verify matches.
…e2e hang) #13913 bumped logback-classic to 1.2.13, but Spring Boot's dependency management held logback-core at 1.2.6. logback-classic 1.2.13's ThrowableProxy calls OptionHelper.isNotEmtpy(), which only exists in logback-core 1.2.13, so logging ANY exception threw NoSuchMethodError and killed the Tomcat request thread. The Agent Lua e2e trigger (POST /nginx/entry/info) hits an exception-logging path: its first request died with no response, so the e2e HTTP trigger blocked until the 60-min job timeout -- the long-mysterious 'environmental' lua hang. Other cases (and local runs) passed only because they never logged an exception. Pin logback-core to ${logback.version} (1.2.13). Verified: OptionHelper.isNotEmtpy is absent in logback-core 1.2.6, present in 1.2.13.
wankai123
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Clear test-scope CVE Dependabot alerts (log4j 1.x + Go e2e fixtures)
Follow-up to #13913. Clears ~18 of the remaining open Dependabot alerts, all in e2e test fixtures (no production code).
log4j 1.x —
e2e-service-provider(2 alerts; log4j 1.x is EOL, one CVE has no patched release):log4j:log4j1.2.17 +apm-toolkit-log4j-1.xandlog4j.properties. The provider already exercises log-to-OAP through log4j2 (apm-toolkit-log4j-2.x, grpc appender) and logback in parallel, so log-reporting coverage is preserved. The log4j2 loggers now use the importedorg.apache.logging.log4j.Logger(no inline FQCN). Dropped the log4j-1.xfileLoggeritems from the filebeat/fluentd expected files.Go fixtures —
grpc/golang.org/x/net/x/crypto/protobuf(~16 alerts; the patched releases require Go ≥ 1.23):cases/go/service:go 1.24; x/crypto 0.46, x/net 0.48, grpc 1.79.3, protobuf 1.36.10; Dockerfile base-go1.19→-go1.24.SW_AGENT_GO_COMMIT→19a9fa9(the skywalking-go commit that ships the go1.24 images; go1.19 images were dropped). All 5 shared go cases (go/service, profiling/trace/go, pprof/{mysql,es,banyandb}) build from this one Dockerfile.cases/profiling/ebpf/network: migrated off the legacy go2sky SDK to the skywalking-go toolchain agent (auto-instruments net/http server+client). The app exit span is now auto-instrumented (GET:/provider,GoHttpClient, layerHttp, peerproxy, http tags, spanid 1/parent 0) —expected/skywalking-trace.ymlupdated, derived from the skywalking-go net/http plugin. The eBPF sampled-record name (skywalking-<path>) is network-derived and unchanged, so the verify query and the 4xx/5xx expectations are untouched.Not in this PR (separate follow-ups):
okhttp3.14.9 inoap-server-bom— the only production-scope alert; pulled transitively by the Kubernetes client, so the real fix is a k8s-client bump.protobufinairflow/mock/requirements-replay.txt— needs anopentelemetry-protobump too (it pinsprotobuf<5).Validation
Java provider compiles; the fat jar bundles only log4j2 (
log4j-api/core+apm-toolkit-log4j-2.x), zero log4j 1.x.Both Go fixtures build locally with the
skywalking-go -toolexecagent (go1.24 + grpc 1.79.3).The
ebpf/networktrace assertion is derived from the skywalking-go plugin code; end-to-end behavior is validated by the kind/rover eBPF e2e in CI (not locally runnable).Update the
CHANGESlog — N/A, test-fixture/CI only (not user-facing).