Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jts-dev] [EXTERNAL] Re: Modify JTS Core to use a logging framework
  • From: "Bryant, Phil L." <Phillip.L.Bryant@xxxxxxxx>
  • Date: Wed, 30 Mar 2022 23:05:45 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=saic.com; dmarc=pass action=none header.from=saic.com; dkim=pass header.d=saic.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qEFLCMsWShY7kx7jfiHNIYCxrT+qQkGUjEyL60+zFU8=; b=tKrZrfLDy+RQUABCCJWNv+Hs6k9NlNbZLVrHHQMiNtv7pN7NZPo2wRJJLW8waLJqmNIHJg520hjlDQVMHOVEL0yRAWPHvF88N2fjz+UvlnyY5xdOZFT2lAPwkVumchlF1pRttdAzBuRYqh2ETTf4vD2H7tx4V/Ia3NGsCwTE3ePbHjM5lwfzB0wgmTpbTQiYyH/zEzUiNbZHN1toIHyqGPWRC/YLoIy+nAwFU0vrHjM8Cjp1F6X8+yVcdLswJzbGQCmseeU3B4fdSjzSkN7jZP1vkGq1MaY+MQio4+DVIWclhovy9/5dvba+NPjsOXTfCTpnmdlWSfeg9xzzxzUNSg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=PI0WGkDE9YXJa+D8XpasqNvH7F6pxHyElm+jB19vtxsCKIsI5E5t5o2WhCNI4DdutiiO2Tps9Sa3IXPzwR5LcnHfRtklwulcDAa/2YmJxoMcshx28cqubwdO5mQqtqeO0dEPbAUjA1QBh8/MAZdCDw/cqv3tb08XrL19IoPd3wjhgttWMWZr/yScKEvlsY0MOGPQ8wxVOpyANiu4Ju/Rm3chqP/TPnCIzYUPGdlqQb0xZEBAetJLgs8pvg2mf2WpEjUjldAS6Ihliy4Xc7T0txzZg+HBNCY4yzMUuFG/F3kRmQ5FC24zdOxqIas52DqAPGPNUrpYtM3jh6LCtKX7aQ==
  • Delivered-to: jts-dev@xxxxxxxxxxx
  • Ironport-sdr: a/7izZ9xuqIqeaW3kil+FTfUbzW1nOIXvRCV7fYtCv/fhWPsOsgZn45AlvCNnawfjkF2RvK0a8 xOtrqWJcV4XP9bUNmsuIyWhA15AoOeJymmfeWTkNWvLrFcBYWCqBAUIJzweVwyOUTUNgEXciMG DHk1xx2sOkCzQ7zeXpCTrq+H6lv1z5sJ+caSSOROSk0eXMLn4e1Ft4BNZoqK5ah2BvPjLm5Jud 2NJX0Zz4HPtetXPmyXWVl08slIKNHwmcx+ToDQKE4TldZGi8v3krVfH4IqfYv9b1rbdKYsZi4f WqA=
  • List-archive: <https://dev.eclipse.org/mailman/private/jts-dev/>
  • List-help: <mailto:jts-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jts-dev>, <mailto:jts-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://dev.eclipse.org/mailman/options/jts-dev>, <mailto:jts-dev-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AdhDk1BNxNDRHWjcTTKA3lTike0M7wAv6xyQAA0FAQAAAH8FEA==
  • Thread-topic: [EXTERNAL] Re: [jts-dev] Modify JTS Core to use a logging framework

While I’m hopeful the following changes can be merged into a future release, I certainly understand if it goes against the JTS design and the PR is rejected.

 

I replaced dozens - if not hundreds - of calls to System.out and System.err with calls to a logger.  I also removed several calls that print stacktraces (which, personally, I’d prefer to keep, but we are required to remove they as they are declared to expose vulnerabilities). 

 

I didn’t take the time to consider all of the uses for the System.out/err calls (tests, etc.).  I just replaced them with calls to the SLF4J logger – mostly info level unless it was an obvious error such as in catch blocks, so they will work with the “simple” logging implementation I added, with test scope, in an attempt to minimize any changes to the way things operate now.

 

I also “fixed” a vulnerability Fortify reported in org.locationtech.jts.io.gml2.GeometryStrategies. 

 

I’ll work to get these changes into a pull request tomorrow for review.  I’m leaving in the logger calls for our requirements.  Again, I understand if it goes against design and the PR is rejected.

 

Much obliged for all comments thus far.

 

Phil Bryant

Senior Principal  Software Engineer

SAIC Inc.

5021 Bradford Drive

Huntsville, Alabama 35806

Phillip.L.Bryant@xxxxxxxx

phillip.l.bryant4.ctr@xxxxxxxx

 

 

From: jts-dev <jts-dev-bounces@xxxxxxxxxxx> On Behalf Of Martin Davis
Sent: Wednesday, March 30, 2022 5:40 PM
To: JTS project developer mailing list <jts-dev@xxxxxxxxxxx>
Subject: [EXTERNAL] Re: [jts-dev] Modify JTS Core to use a logging framework

 

EXTERNAL EMAIL -- This message originates from outside of SAIC

There should be no calls to System.out or System.err in the JTS core (apart from the Debug class).  If you find any they are probably left over from debugging and can be removed (and feel free to request they are removed from the codebase via a PR, GH issue, or email).

 

Also by design JTS doesn't do any logging.  Where do you see that being added?

 

On Wed, Mar 30, 2022 at 9:30 AM Bryant, Phil L. <Phillip.L.Bryant@xxxxxxxx> wrote:

Hello,

 

This is my first time posting to your mailing list, so please excuse any breaches of protocol/decorum.

 

I work on a project that uses JTS Core (thank you for all of your hard work); however, to be permissible for us to use it we must perform a static code analysis on the source code (using Fortify) and mitigate the findings.  This is a time consuming process and it must be repeated each time we upgrade versions of your software.  This is my first time performing the task for JTS Core.  From what I understand other developers on our team have previously found, most of the findings involve removing calls System.out, System.err and printing stacktraces (because stacktraces reveal potential vulnerabilities). 

 

I am planning to fork the JTS repo and modify it to use a logging framework in lieu of the aforementioned outputs.  I would like to do so in a way that will both benefit the community and that would allow committing those changes so this process will be less time consuming for future upgrades.

 

My proposal is to use the Simple Logging Facade for Java (SLF4J) as doing so allows users of the library to decide the underlying logging framework to use without having to modify the source code and by simply adding the dependency for the chosen framework to the runtime classpath.  It is also my understanding that SLF4J is compatible with Android, so I would not expect using it to impose restrictions for that platform. 

 

I’m looking for feedback so I can provide the most benefit to the community and increase the likelihood the community will accept a pull request with the modifications so they will be included in future releases.  Any feedback will be greatly appreciated.

 

Thanks in advance,

 

Phil Bryant

Senior Principal  Software Engineer

SAIC Inc.

5021 Bradford Drive

Huntsville, Alabama 35806

Phillip.L.Bryant@xxxxxxxx

phillip.l.bryant4.ctr@xxxxxxxx

The information contained in this e-mail and any attachments from Science Applications International Corporation ("SAIC") may contain confidential and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited.   If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any attachments.

_______________________________________________
jts-dev mailing list
jts-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jts-dev

The information contained in this e-mail and any attachments from Science Applications International Corporation ("SAIC") may contain confidential and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited.   If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any attachments.

Back to the top