ContextInitializer in logback-classic version 1.2.9 does not support Groovy config file

Question

Updated to spring-boot-starter-parent 2.6.2 and my application can not start due to following error

Unexpected filename extension of file [file:logback.groovy]. Should be either .groovy or .xml. Looked at source code of mentioned class and found following:

        final String urlString = url.toString();
        if (urlString.endsWith("xml")) {
            JoranConfigurator configurator = new JoranConfigurator();
            configurator.setContext(loggerContext);
            configurator.doConfigure(url);
        } else {
            throw new LogbackException("Unexpected filename extension of file [" + url.toString() + "]. Should be either .groovy or .xml");
        }

So looks like in the latest version they just removed groovy support? Is there any work around besides just moving back to excel configuration? Thanks

score 8 · Accepted Answer · answered Jan 18 '22 at 15:55

There's no workaround. Groovy support was removed in 1.2.9 for security reasons. From the release announcement:

Removed Groovy configuration support. As logging is so pervasive and configuration with Groovy is probably too powerful, this feature is unlikely to be reinstated for security reasons.

This removal, along with some other changes, was done in response to CVE-2021-42550.

score 0 · Answer 2 · answered Oct 05 '22 at 13:10

0

As mentionend in https://stackoverflow.com/a/71554807/9066300 downgrading to logback 1.2.7 may be an workaround if you can mitigate the risk of the CVE mentioned in the accepted answer.

answered Oct 05 '22 at 13:10

Mihael Koep

21
1

ContextInitializer in logback-classic version 1.2.9 does not support Groovy config file

2 Answers2