Merge pull request #126 from vitruv-tools/125-deserialization-of-untr…

…usted-data-in-log4j-5

fixed the log4j security issues

.gitignore

@@ -10,3 +10,9 @@ target/
 META-INF
 build.properties
 plugin.properties
+
+# Generated Files
+**/src-gen/*
+**/xtend-gen/*
+.settings
+**/*.java._trace

atomic/pom.xml

@@ -58,8 +58,8 @@
 
     <!-- external compile dependencies -->
     <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
     </dependency>
     <dependency>
       <groupId>com.google.guava</groupId>

atomic/src/main/java/tools/vitruv/change/atomic/uuid/UuidResolverImpl.java

@@ -13,8 +13,9 @@
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
+import org.apache.logging.log4j.LogManager;
 
-import org.apache.log4j.Logger;
+import org.apache.logging.log4j.Logger;
 import org.eclipse.emf.common.util.URI;
 import org.eclipse.emf.ecore.EObject;
 import org.eclipse.emf.ecore.InternalEObject;
@@ -30,7 +31,7 @@
 import tools.vitruv.change.atomic.hid.internal.HierarchicalIdResolver;
 
 class UuidResolverImpl implements UuidResolver {
-	static private final Logger LOGGER = Logger.getLogger(UuidResolverImpl.class);
+	static private final Logger LOGGER = LogManager.getLogger(UuidResolverImpl.class);
 	private static final String NON_READONLY_PREFIX = "ord_";
 
 	private static final String SERIALIZATION_SEPARATOR = "|";

atomic/src/main/xtend/tools/vitruv/change/atomic/command/internal/ApplyBackwardCommandSwitch.xtend

@@ -2,7 +2,8 @@ package tools.vitruv.change.atomic.command.internal
 
 import edu.kit.ipd.sdq.activextendannotations.Utility
 import java.util.List
-import org.apache.log4j.Logger
+import org.apache.logging.log4j.Logger
+import org.apache.logging.log4j.LogManager
 import org.eclipse.emf.common.command.Command
 import org.eclipse.emf.ecore.EObject
 import org.eclipse.emf.edit.command.AddCommand
@@ -31,7 +32,7 @@ import static extension tools.vitruv.change.atomic.command.internal.ChangeComman
  */
 @Utility
 package class ApplyBackwardCommandSwitch {
-	static val Logger logger = Logger.getLogger(ApplyBackwardCommandSwitch)
+	static val Logger logger = LogManager.getLogger(ApplyBackwardCommandSwitch)
 
 	def package dispatch static List<Command> getCommands(EChange<EObject> change) {
 		#[]

atomic/src/main/xtend/tools/vitruv/change/atomic/command/internal/ApplyForwardCommandSwitch.xtend

@@ -2,7 +2,8 @@ package tools.vitruv.change.atomic.command.internal
 
 import edu.kit.ipd.sdq.activextendannotations.Utility
 import java.util.List
-import org.apache.log4j.Logger
+import org.apache.logging.log4j.Logger
+import org.apache.logging.log4j.LogManager
 import org.eclipse.emf.common.command.Command
 import org.eclipse.emf.ecore.EObject
 import org.eclipse.emf.edit.command.AddCommand
@@ -30,7 +31,7 @@ import static extension tools.vitruv.change.atomic.command.internal.ChangeComman
  */
 @Utility
 package class ApplyForwardCommandSwitch {
-	static val Logger logger = Logger.getLogger(ApplyForwardCommandSwitch)
+	static val Logger logger = LogManager.getLogger(ApplyForwardCommandSwitch)
 
 	def package dispatch static List<Command> getCommands(EChange<EObject> change) {
 		#[]

atomic/src/main/xtend/tools/vitruv/change/atomic/hid/internal/HierarchicalIdResolverImpl.xtend

@@ -3,7 +3,8 @@ package tools.vitruv.change.atomic.hid.internal
 import com.google.common.collect.BiMap
 import com.google.common.collect.HashBiMap
 import java.util.PriorityQueue
-import org.apache.log4j.Logger
+import org.apache.logging.log4j.Logger
+import org.apache.logging.log4j.LogManager
 import org.eclipse.emf.common.util.URI
 import org.eclipse.emf.ecore.EObject
 import org.eclipse.emf.ecore.resource.ResourceSet
@@ -20,7 +21,7 @@ import static extension tools.vitruv.change.atomic.hid.ObjectResolutionUtil.getH
  * {@link HierarchicalIdResolver}
  */
 class HierarchicalIdResolverImpl implements HierarchicalIdResolver {
-	static val logger = Logger.getLogger(HierarchicalIdResolverImpl)
+	static val logger = LogManager.getLogger(HierarchicalIdResolverImpl)
 	static val CACHE_PREFIX = "cache:/"
 
 	val ResourceSet resourceSet

correspondence/pom.xml

@@ -62,8 +62,8 @@
       <artifactId>guava</artifactId>
     </dependency>
     <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
     </dependency>
     <dependency>
       <groupId>org.eclipse.emf</groupId>

correspondence/src/main/java/tools/vitruv/change/correspondence/model/PersistableCorrespondenceModelImpl.java

@@ -12,7 +12,8 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import org.apache.log4j.Logger;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
 import org.eclipse.emf.common.util.URI;
 import org.eclipse.emf.ecore.EClass;
 import org.eclipse.emf.ecore.EObject;
@@ -26,7 +27,7 @@
 import tools.vitruv.change.correspondence.Correspondences;
 
 class PersistableCorrespondenceModelImpl implements PersistableCorrespondenceModel {
-	private static final Logger logger = Logger.getLogger(PersistableCorrespondenceModelImpl.class);
+	private static final Logger logger = LogManager.getLogger(PersistableCorrespondenceModelImpl.class);
 	private final Correspondences correspondences;
 	private final Resource correspondencesResource;
 
@@ -42,8 +43,10 @@ public PersistableCorrespondenceModelImpl(URI resourceUri) {
 
 	@Override
 	public void loadSerializedCorrespondences(ResourceSet resolveIn) {
-		checkState(correspondencesResource != null, "Correspondences resource must be specified to load existing correspondences");
-		Resource loadedResource = loadOrCreateResource(withGlobalFactories(new ResourceSetImpl()), correspondencesResource.getURI());
+		checkState(correspondencesResource != null,
+				"Correspondences resource must be specified to load existing correspondences");
+		Resource loadedResource = loadOrCreateResource(withGlobalFactories(new ResourceSetImpl()),
+				correspondencesResource.getURI());
 		if (!loadedResource.getContents().isEmpty()) {
 			Correspondences loadedCorrespondences = (Correspondences) loadedResource.getContents().get(0);
 			for (Correspondence correspondence : loadedCorrespondences.getCorrespondences()) {
@@ -62,9 +65,11 @@ private static void replace(List<EObject> originalList, List<EObject> elementsTo
 	}
 
 	private static List<EObject> resolve(List<EObject> eObjects, ResourceSet resolveIn) {
-		List<EObject> resolvedEObjects = eObjects.stream().map(eObject -> EcoreUtil.resolve(eObject, resolveIn)).toList();
+		List<EObject> resolvedEObjects = eObjects.stream().map(eObject -> EcoreUtil.resolve(eObject, resolveIn))
+				.toList();
 		for (EObject resolvedEObject : resolvedEObjects) {
-			checkState(!resolvedEObject.eIsProxy(), "object %s is referenced in correspondence but could not be resolved", resolvedEObject);
+			checkState(!resolvedEObject.eIsProxy(),
+					"object %s is referenced in correspondence but could not be resolved", resolvedEObject);
 		}
 		return resolvedEObjects;
 	}
@@ -81,7 +86,8 @@ public void save() {
 	}
 
 	@Override
-	public <C extends Correspondence> C addCorrespondenceBetween(List<EObject> firstEObjects, List<EObject> secondEObjects, String tag,
+	public <C extends Correspondence> C addCorrespondenceBetween(List<EObject> firstEObjects,
+			List<EObject> secondEObjects, String tag,
 			Supplier<C> correspondenceCreator) {
 		C correspondence = correspondenceCreator.get();
 		correspondence.getLeftEObjects().addAll(firstEObjects);
@@ -102,67 +108,82 @@ private void removeCorrespondencesForRemovedElements() {
 								|| element.getRightEObjects().stream().allMatch(this::isNotInManagedResource),
 						"Correspondence between %s and %s contains elements %s that are not contained in a resource anymore.",
 						element.getLeftEObjects(), element.getRightEObjects(),
-						Stream.concat(element.getLeftEObjects().stream(), element.getRightEObjects().stream()).filter(this::isNotInManagedResource)
+						Stream.concat(element.getLeftEObjects().stream(), element.getRightEObjects().stream())
+								.filter(this::isNotInManagedResource)
 								.toList());
 				iterator.remove();
 				if (logger.isTraceEnabled()) {
-					logger.trace("Correspondence between " + element.getLeftEObjects() + " and " + element.getRightEObjects()
-							+ " has been removed as all its elements have been removed from resources.");
+					logger.trace(
+							"Correspondence between " + element.getLeftEObjects() + " and " + element.getRightEObjects()
+									+ " has been removed as all its elements have been removed from resources.");
 				}
 			}
 		}
 	}
 
 	private boolean isNotInManagedResource(EObject object) {
-		return !(object instanceof EClass) && (object.eResource() == null || object.eResource().getResourceSet() == null);
+		return !(object instanceof EClass)
+				&& (object.eResource() == null || object.eResource().getResourceSet() == null);
 	}
 
 	private void removeCorrespondence(Correspondence correspondence) {
 		EcoreUtil.remove(correspondence);
 	}
 
 	@Override
-	public <C extends Correspondence> Set<C> removeCorrespondencesBetween(Class<C> correspondenceType, List<EObject> aEObjects,
+	public <C extends Correspondence> Set<C> removeCorrespondencesBetween(Class<C> correspondenceType,
+			List<EObject> aEObjects,
 			List<EObject> bEObjects, String tag) {
 		Set<Correspondence> correspondencesBetween = getCorrespondencesBetween(aEObjects, bEObjects);
-		Set<C> correspondencesToRemove = filterCorrespondenceTypeAndTag(correspondencesBetween, correspondenceType, tag);
+		Set<C> correspondencesToRemove = filterCorrespondenceTypeAndTag(correspondencesBetween, correspondenceType,
+				tag);
 		correspondencesToRemove.stream().forEach(this::removeCorrespondence);
 		return correspondencesToRemove;
 	}
 
-	private <C extends Correspondence> Set<C> filterCorrespondenceTypeAndTag(Set<Correspondence> original, Class<C> filteredType,
+	private <C extends Correspondence> Set<C> filterCorrespondenceTypeAndTag(Set<Correspondence> original,
+			Class<C> filteredType,
 			String expectedTag) {
 		return original.stream().filter(filteredType::isInstance).map(filteredType::cast)
-				.filter(correspondence -> expectedTag == null || expectedTag.equals(correspondence.getTag())).collect(Collectors.toSet());
+				.filter(correspondence -> expectedTag == null || expectedTag.equals(correspondence.getTag()))
+				.collect(Collectors.toSet());
 	}
 
 	private Set<Correspondence> getCorrespondences(List<EObject> eObjects) {
-		return this.correspondences.getCorrespondences().stream().filter(correspondence -> isEitherSideOfCorrespondence(correspondence, eObjects))
+		return this.correspondences.getCorrespondences().stream()
+				.filter(correspondence -> isEitherSideOfCorrespondence(correspondence, eObjects))
 				.collect(Collectors.toSet());
 	}
 
 	private Set<Correspondence> getCorrespondencesBetween(List<EObject> firstEObjects, List<EObject> secondEObjects) {
 		return this.correspondences.getCorrespondences().stream()
 				.filter(correspondence -> isEitherSideOfCorrespondence(correspondence, firstEObjects)
 						&& isEitherSideOfCorrespondence(correspondence, secondEObjects)
-						&& (!firstEObjects.equals(secondEObjects) || correspondence.getLeftEObjects().equals(correspondence.getRightEObjects())))
+						&& (!firstEObjects.equals(secondEObjects)
+								|| correspondence.getLeftEObjects().equals(correspondence.getRightEObjects())))
 				.collect(Collectors.toSet());
 	}
 
 	private boolean isEitherSideOfCorrespondence(Correspondence correspondence, List<EObject> elementsToBeEitherSide) {
-		return elementsToBeEitherSide.equals(correspondence.getLeftEObjects()) || elementsToBeEitherSide.equals(correspondence.getRightEObjects());
+		return elementsToBeEitherSide.equals(correspondence.getLeftEObjects())
+				|| elementsToBeEitherSide.equals(correspondence.getRightEObjects());
 	}
 
 	@Override
-	public Set<List<EObject>> getCorrespondingEObjects(Class<? extends Correspondence> correspondenceType, List<EObject> eObjects, String tag) {
+	public Set<List<EObject>> getCorrespondingEObjects(Class<? extends Correspondence> correspondenceType,
+			List<EObject> eObjects, String tag) {
 		Set<Correspondence> objectsCorrespondences = getCorrespondences(eObjects);
-		Set<? extends Correspondence> properlyTaggedAndTypedCorrespondences = filterCorrespondenceTypeAndTag(objectsCorrespondences,
+		Set<? extends Correspondence> properlyTaggedAndTypedCorrespondences = filterCorrespondenceTypeAndTag(
+				objectsCorrespondences,
 				correspondenceType, tag);
 		return mapToCorrespondingEObjects(properlyTaggedAndTypedCorrespondences, eObjects);
 	}
 
-	private Set<List<EObject>> mapToCorrespondingEObjects(Set<? extends Correspondence> correspondences, List<EObject> originalEObjects) {
-		return correspondences.stream().map(correspondence -> getCorrespondingEObjects(correspondence, originalEObjects)).collect(Collectors.toSet());
+	private Set<List<EObject>> mapToCorrespondingEObjects(Set<? extends Correspondence> correspondences,
+			List<EObject> originalEObjects) {
+		return correspondences.stream()
+				.map(correspondence -> getCorrespondingEObjects(correspondence, originalEObjects))
+				.collect(Collectors.toSet());
 	}
 
 	private List<EObject> getCorrespondingEObjects(Correspondence correspondence, List<EObject> eObjects) {

correspondence/src/test/xtend/tools/vitruv/change/correspondence/CorrespondenceTest.xtend

@@ -3,7 +3,8 @@ package tools.vitruv.change.correspondence
 import java.nio.file.Path
 import java.util.List
 import java.util.Set
-import org.apache.log4j.Logger
+import org.apache.logging.log4j.Logger
+import org.apache.logging.log4j.LogManager
 import org.eclipse.emf.common.util.URI
 import org.eclipse.emf.ecore.EObject
 import org.eclipse.emf.ecore.util.EcoreUtil
@@ -35,7 +36,7 @@ import static extension edu.kit.ipd.sdq.commons.util.org.eclipse.emf.ecore.resou
 
 @ExtendWith(TestProjectManager, TestLogging, RegisterMetamodelsInStandalone)
 class CorrespondenceTest {
-	static val Logger LOGGER = Logger.getLogger(CorrespondenceTest)
+	static val Logger LOGGER = LogManager.getLogger(CorrespondenceTest)
 	static val CORRESPONDENCE_MODEL_NAME = "correspondence.correspondence"
 	var ResourceSet testResourceSet
 

interaction/pom.xml

@@ -43,8 +43,8 @@
       <artifactId>guava</artifactId>
     </dependency>
     <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
     </dependency>
     <dependency>
       <groupId>org.eclipse.emf</groupId>

interaction/src/main/xtend/tools/vitruv/change/interaction/impl/ThinktimeSimulatingInteractionResultProvider.xtend

@@ -1,6 +1,7 @@
 package tools.vitruv.change.interaction.impl
 
-import org.apache.log4j.Logger
+import org.apache.logging.log4j.LogManager
+import org.apache.logging.log4j.Logger
 import java.util.Random
 import tools.vitruv.change.interaction.InteractionResultProvider
 import org.eclipse.xtend.lib.annotations.Delegate
@@ -11,7 +12,7 @@ import org.eclipse.xtend.lib.annotations.Delegate
  * @author Heiko Klare
  */
 class ThinktimeSimulatingInteractionResultProvider implements InteractionResultProvider {
-	static val Logger logger = Logger.getLogger(ThinktimeSimulatingInteractionResultProvider)
+	static val Logger logger = LogManager.getLogger(ThinktimeSimulatingInteractionResultProvider)
 	val Random random = new Random()
 	val int minWaittime
 	val int maxWaittime

pom.xml

@@ -114,9 +114,9 @@
         <version>3.5.3.202212280858</version>
       </dependency>
       <dependency>
-        <groupId>log4j</groupId>
-        <artifactId>log4j</artifactId>
-        <version>1.2.17</version>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-core</artifactId>
+        <version>2.24.3</version>
       </dependency>
       <dependency>
         <groupId>org.eclipse.emf</groupId>

propagation/pom.xml

@@ -68,8 +68,8 @@
       <artifactId>guava</artifactId>
     </dependency>
     <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
     </dependency>
     <dependency>
       <groupId>org.eclipse.emf</groupId>