From 3006f3a36ff67a0dfb4e50577be48883c80eeab6 Mon Sep 17 00:00:00 2001
From: Dan Timoney <dtimoney@att.com>
Date: Thu, 16 Dec 2021 16:25:49 -0500
Subject: [PATCH] Patch OpenDaylight to upgrade to latest pax-logging package

Patch OpenDaylight to replace the shipped version of pax-logging -
which includes log4j-core v2.14.1 - with the latest version, which
includes log4j-core v2.16.0

Issue-ID: CCSDK-3556
Signed-off-by: Dan Timoney <dtimoney@att.com>
Change-Id: I6728d686f74c9d4b277e388bac62cfa56c23392e
---
 opendaylight/silicon/silicon-alpine/pom.xml        | 39 ++++++++++++
 .../silicon-alpine/src/main/docker/Dockerfile      |  7 ++
 .../main/resources/framework-4.3.2-features.xml    | 74 ++++++++++++++++++++++
 .../src/main/resources/startup.properties          | 24 +++++++
 4 files changed, 144 insertions(+)
 create mode 100755 opendaylight/silicon/silicon-alpine/src/main/resources/framework-4.3.2-features.xml
 create mode 100755 opendaylight/silicon/silicon-alpine/src/main/resources/startup.properties

diff --git a/opendaylight/silicon/silicon-alpine/pom.xml b/opendaylight/silicon/silicon-alpine/pom.xml
index 7b85371e..029bc829 100644
--- a/opendaylight/silicon/silicon-alpine/pom.xml
+++ b/opendaylight/silicon/silicon-alpine/pom.xml
@@ -22,6 +22,9 @@
         <odl.karaf.artifactId>onap-karaf</odl.karaf.artifactId>
         <odl.shiro.version>0.13.5</odl.shiro.version>
         <odl.ops4j.version>7.3.16</odl.ops4j.version>
+        <odl.pax.logging.version>2.0.9</odl.pax.logging.version>
+        <patch.pax.logging.version>2.0.12</patch.pax.logging.version>
+        <odl.karaf.framework.version>4.3.2</odl.karaf.framework.version>
         <odl.netconf.version>1.13.4</odl.netconf.version>
     </properties>
 
@@ -112,6 +115,22 @@
                                     <destFileName>sal-netconf-connector-${odl.netconf.version}.jar</destFileName>
                                     <excludes>*</excludes>
                                 </artifactItem>
+                                <artifactItem>
+                                    <groupId>org.ops4j.pax.logging</groupId>
+                                    <artifactId>pax-logging-log4j2</artifactId>
+                                    <version>${patch.pax.logging.version}</version>
+                                    <outputDirectory>${project.build.directory}/docker-stage/system/org/ops4j/pax/logging/pax-logging-log4j2/${patch.pax.logging.version}</outputDirectory>
+                                    <destFileName>pax-logging-log4j2-${patch.pax.logging.version}.jar</destFileName>
+                                    <excludes>*</excludes>
+                                </artifactItem>
+                                <artifactItem>
+                                    <groupId>org.ops4j.pax.logging</groupId>
+                                    <artifactId>pax-logging-api</artifactId>
+                                    <version>${patch.pax.logging.version}</version>
+                                    <outputDirectory>${project.build.directory}/docker-stage/system/org/ops4j/pax/logging/pax-logging-api/${patch.pax.logging.version}</outputDirectory>
+                                    <destFileName>pax-logging-api-${patch.pax.logging.version}.jar</destFileName>
+                                    <excludes>*</excludes>
+                                </artifactItem>
                             </artifactItems>
                             <overWriteReleases>false</overWriteReleases>
                             <overWriteSnapshots>true</overWriteSnapshots>
@@ -151,6 +170,26 @@
                             </resources>
                         </configuration>
                     </execution>
+                    <execution>
+                        <id>copy-karaf-framework-features</id>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals><!-- here the phase you need -->
+                        <phase>validate</phase>
+                        <configuration>
+                            <outputDirectory>${basedir}/target/docker-stage</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>src/main/resources</directory>
+                                    <includes>
+                                        <include>framework-${odl.karaf.framework.version}-features.xml</include>
+                                        <include>startup.properties</include>
+                                    </includes>
+                                    <filtering>false</filtering>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
                 </executions>
             </plugin>
 
diff --git a/opendaylight/silicon/silicon-alpine/src/main/docker/Dockerfile b/opendaylight/silicon/silicon-alpine/src/main/docker/Dockerfile
index 978a0919..b5b3c6da 100644
--- a/opendaylight/silicon/silicon-alpine/src/main/docker/Dockerfile
+++ b/opendaylight/silicon/silicon-alpine/src/main/docker/Dockerfile
@@ -27,6 +27,13 @@ COPY system $ODL_HOME/system
 #COPY configure_cluster.sh configure-cluster-ipdetect.sh custom_shard_config.txt set_persistence.sh $ODL_HOME/bin/
 #RUN chmod 755 $ODL_HOME/bin/configure_cluster.sh $ODL_HOME/bin/configure-cluster-ipdetect.sh $ODL_HOME/bin/set_persistence.sh $ODL_HOME/bin/custom_shard_config.txt
 
+
+# Remove vulnerable version of ops4j logging
+COPY framework-${odl.karaf.framework.version}-features.xml $ODL_HOME/system/org/apache/karaf/features/framework/${odl.karaf.framework.version}/framework-${odl.karaf.framework.version}-features.xml
+COPY startup.properties $ODL_HOME/etc/startup.properties
+RUN rm -rf $ODL_HOME/system/org/ops4j/pax/logging/pax-logging-log4j2/${odl.pax.logging.version}
+RUN rm -rf $ODL_HOME/system/org/ops4j/pax/logging/pax-logging-api/${odl.pax.logging.version}
+
 # Changing ownership and permission of /opt
 RUN chown -R odl:odl /opt && chmod -R 755 /opt
 
diff --git a/opendaylight/silicon/silicon-alpine/src/main/resources/framework-4.3.2-features.xml b/opendaylight/silicon/silicon-alpine/src/main/resources/framework-4.3.2-features.xml
new file mode 100755
index 00000000..1f283cb1
--- /dev/null
+++ b/opendaylight/silicon/silicon-alpine/src/main/resources/framework-4.3.2-features.xml
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+
+      Licensed to the Apache Software Foundation (ASF) under one or more
+      contributor license agreements.  See the NOTICE file distributed with
+      this work for additional information regarding copyright ownership.
+      The ASF licenses this file to You under the Apache License, Version 2.0
+      (the "License"); you may not use this file except in compliance with
+      the License.  You may obtain a copy of the License at
+
+         http://www.apache.org/licenses/LICENSE-2.0
+
+      Unless required by applicable law or agreed to in writing, software
+      distributed under the License is distributed on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+      See the License for the specific language governing permissions and
+      limitations under the License.
+-->
+<features name="framework-4.3.2" xmlns="http://karaf.apache.org/xmlns/features/v1.3.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.3.0 http://karaf.apache.org/xmlns/features/v1.3.0">
+
+    <!-- This file is not used in the assembly., This file is used by the karaf-maven-plugin to generate a "final" feature.xml
+              including the correct start-level for the generation of the startup.propertie file -->
+
+    <feature version="4.3.2" description="Karaf core feature" name="framework" hidden="true">
+        <!-- persistent wiring extension -->
+        <bundle start-level="1">mvn:org.apache.karaf.features/org.apache.karaf.features.extension/4.3.2</bundle>
+        <!-- mvn: url handlers -->
+        <bundle start-level="5">mvn:org.ops4j.pax.url/pax-url-aether/2.6.7</bundle>
+        <!-- logging -->
+        <bundle start-level="8">mvn:org.ops4j.pax.logging/pax-logging-api/2.0.12</bundle>
+        <bundle start-level="8">mvn:org.ops4j.pax.logging/pax-logging-log4j2/2.0.12</bundle>
+        <bundle start-level="8">mvn:org.fusesource.jansi/jansi/1.18</bundle>
+        <!-- config admin -->
+        <bundle start-level="9">mvn:org.osgi/org.osgi.util.function/1.1.0</bundle>
+        <bundle start-level="9">mvn:org.osgi/org.osgi.util.promise/1.1.1</bundle>
+        <bundle start-level="9">mvn:org.apache.felix/org.apache.felix.coordinator/1.0.2</bundle>
+        <bundle start-level="9">mvn:org.apache.felix/org.apache.felix.converter/1.0.14</bundle>
+        <bundle start-level="10">mvn:org.apache.felix/org.apache.felix.configadmin/1.9.22</bundle>
+        <bundle start-level="11">mvn:org.apache.felix/org.apache.felix.configadmin.plugin.interpolation/1.1.2</bundle>
+        <bundle start-level="11">mvn:org.apache.felix/org.apache.felix.cm.json/1.0.6</bundle>
+        <bundle start-level="11">mvn:org.apache.sling/org.apache.sling.commons.johnzon/1.2.6</bundle>
+        <bundle start-level="11">mvn:org.apache.felix/org.apache.felix.configurator/1.0.14</bundle>
+        <!-- file install -->
+        <bundle start-level="12">mvn:org.apache.felix/org.apache.felix.fileinstall/3.6.8</bundle>
+        <!-- features service -->
+        <bundle start-level="15">mvn:org.apache.karaf.features/org.apache.karaf.features.core/4.3.2</bundle>
+        <bundle dependency="true" start-level="30">mvn:org.apache.servicemix.specs/org.apache.servicemix.specs.jaxb-api-2.2/2.9.0</bundle>
+    </feature>
+
+    <feature version="4.3.2" description="Karaf core feature" name="framework-logback" hidden="true">
+        <!-- persistent wiring extension -->
+        <bundle start-level="1">mvn:org.apache.karaf.features/org.apache.karaf.features.extension/4.3.2</bundle>
+        <!-- mvn: url handlers -->
+        <bundle start-level="5">mvn:org.ops4j.pax.url/pax-url-aether/2.6.7</bundle>
+        <!-- logging -->
+        <bundle start-level="8">mvn:org.ops4j.pax.logging/pax-logging-api/2.0.9</bundle>
+        <bundle start-level="8">mvn:org.ops4j.pax.logging/pax-logging-logback/2.0.9</bundle>
+        <!-- config admin -->
+        <bundle start-level="9">mvn:org.osgi/org.osgi.util.function/1.1.0</bundle>
+        <bundle start-level="9">mvn:org.osgi/org.osgi.util.promise/1.1.1</bundle>
+        <bundle start-level="9">mvn:org.apache.felix/org.apache.felix.coordinator/1.0.2</bundle>
+        <bundle start-level="9">mvn:org.apache.felix/org.apache.felix.converter/1.0.14</bundle>
+        <bundle start-level="10">mvn:org.apache.felix/org.apache.felix.configadmin/1.9.22</bundle>
+        <bundle start-level="11">mvn:org.apache.felix/org.apache.felix.configadmin.plugin.interpolation/1.1.2</bundle>
+        <bundle start-level="11">mvn:org.apache.felix/org.apache.felix.cm.json/1.0.6</bundle>
+        <bundle start-level="11">mvn:org.apache.sling/org.apache.sling.commons.johnzon/1.2.6</bundle>
+        <bundle start-level="11">mvn:org.apache.felix/org.apache.felix.configurator/1.0.14</bundle>
+        <!-- file install -->
+        <bundle start-level="12">mvn:org.apache.felix/org.apache.felix.fileinstall/3.6.8</bundle>
+        <!-- features service -->
+        <bundle start-level="15">mvn:org.apache.karaf.features/org.apache.karaf.features.core/4.3.2</bundle>
+    </feature>
+
+</features>
diff --git a/opendaylight/silicon/silicon-alpine/src/main/resources/startup.properties b/opendaylight/silicon/silicon-alpine/src/main/resources/startup.properties
new file mode 100755
index 00000000..59ab975e
--- /dev/null
+++ b/opendaylight/silicon/silicon-alpine/src/main/resources/startup.properties
@@ -0,0 +1,24 @@
+# Bundles to be started on startup, with startlevel
+mvn\:org.apache.karaf.features/org.apache.karaf.features.extension/4.3.2 = 1
+mvn\:org.ops4j.pax.url/pax-url-aether/2.6.7 = 5
+mvn\:org.ops4j.pax.logging/pax-logging-api/2.0.12 = 8
+mvn\:org.ops4j.pax.logging/pax-logging-log4j2/2.0.12 = 8
+mvn\:org.fusesource.jansi/jansi/1.18 = 8
+mvn\:org.osgi/org.osgi.util.promise/1.1.1 = 9
+mvn\:org.apache.felix/org.apache.felix.coordinator/1.0.2 = 9
+mvn\:org.apache.felix/org.apache.felix.converter/1.0.14 = 9
+mvn\:org.osgi/org.osgi.util.function/1.1.0 = 9
+mvn\:org.apache.felix/org.apache.felix.configadmin/1.9.22 = 10
+mvn\:org.apache.felix/org.apache.felix.configadmin.plugin.interpolation/1.1.2 = 11
+mvn\:org.apache.felix/org.apache.felix.configurator/1.0.14 = 11
+mvn\:org.apache.sling/org.apache.sling.commons.johnzon/1.2.6 = 11
+mvn\:org.apache.felix/org.apache.felix.cm.json/1.0.6 = 11
+mvn\:org.apache.felix/org.apache.felix.fileinstall/3.6.8 = 12
+mvn\:org.apache.karaf.features/org.apache.karaf.features.core/4.3.2 = 15
+# The following are added by opendaylight-karaf-resources
+mvn\:org.osgi/org.osgi.service.event/1.4.0 = 7
+mvn\:org.apache.felix/org.apache.felix.metatype/1.2.4 = 8
+mvn\:org.opendaylight.odlparent/bcprov-framework-ext/8.1.3 = 14
+mvn\:org.opendaylight.odlparent/bcpkix-framework-ext/8.1.3 = 14
+mvn\:org.opendaylight.odlparent/logging-markers/8.1.3 = 14
+mvn\:org.apache.aries.blueprint/org.apache.aries.blueprint.core.compatibility/1.0.0 = 14
-- 
2.16.6