Convert Java Project from Log4j 1 to Log4j2

Many times while working on old Java projects we find Log4j 1.x is used. But as the Log4j2 is the new one; hence to upgrade to Log4j2 we need to change the all the files with new package details.

This is a tedious job. OpenRewrite comes up with a solution; where you can do the below steps to convert your project to Log4j 2 from Log4j 1.x

Steps:

• Navigate to the project folder in command prompt
• Run the below command

mvn -U org.openrewrite.maven:rewrite-maven-plugin:run -Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-logging-frameworks:RELEASE -Drewrite.activeRecipes=org.openrewrite.java.logging.log4j.Log4j1ToLog4j2

• This will convert all the imports in file to Log42 packages & remove Log4j 1.x dependency & will add the Log4j2 dependencies automatically in pom.xml
• Add the LMAX Disruptor dependency in pom.xml as below

<dependency>

<groupId>com.lmax</groupId>

<artifactId>disruptor</artifactId>

<version>3.4.4</version>

</dependency>

• Create the log4j2.xml (under src\main\resources folder); a sample one could be like below. Here the assumption is log files are created within logs folder of Tomcat . Replace <AppName> with the app name.

<?xml version="1.0" encoding="UTF-8"?>

<Configuration status="WARN">

<Appenders>

<Console name="Console" target="SYSTEM_OUT">

<PatternLayout pattern="%d{dd-MM-yyyy HH:mm:ss} [%t] %-5p %c - %m%n"/>

</Console>

<!-- Generate rolling log for router with per hour interval policy -->

<RollingFile name="ProcessorRollingFile" fileName="${sys:catalina.home}/logs/<AppName>.log" filePattern="${sys:catalina.home}/logs/$${date:yyyy-MM-dd}/<AppName>-%d{yyyy-MM-dd-HH}-%i.log.gz">

<PatternLayout>

<!--<pattern>%d{ISO8601} [%t] %p %c %L - %m%n</pattern>-->

<pattern>%d{dd-MM-yyyy HH:mm:ss} [%t] %-5p %c - %m%n</pattern>

</PatternLayout>

<Policies>

<SizeBasedTriggeringPolicy size="500 MB"/>

</Policies>

<DefaultRolloverStrategy max="100"/>

</RollingFile>

<!-- Register Async appender -->

<Async name="AsyncRollingFile">

<AppenderRef ref="ProcessorRollingFile"/>

</Async>

</Appenders>

<Loggers>

<AsyncLogger name="root" level="WARN" additivity="false">

<AppenderRef ref="AsyncRollingFile"/>

</AsyncLogger>

</Loggers>

</Configuration>

In case you do skip tests in the project while running maven then the same needs to be applied while executing the maven command for OpenRewrite. If you use a profile, the same needs to be added to in maven command. If the profile name is Live the full command with skip tests will look like below:

mvn -U org.openrewrite.maven:rewrite-maven-plugin:run -Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-logging-frameworks:RELEASE -Drewrite.activeRecipes=org.openrewrite.java.logging.log4j.Log4j1ToLog4j2 -Dmaven.test.skip=true -PLive

Further Reading: https://docs.openrewrite.org/recipes/java/logging/log4j/log4j1tolog4j2

Creating Tag for Docker Image

Once we create an image of an application & push it to Docker Container, then that tagged as latest one.

Now next time we need to rebuild & push the image the latest tag gets overridden.

But if the latest images gives any error then we should be able to get the previous tag to deploy.

Hence we need to create a separate tag for the current latest image before pushing the new image.

Below are the commands to do the same:

sudo docker tag <docker repo>/testwebapp:latest <docker repo>/testwebapp:prev

sudo docker push <docker repo>/testwebapp:prev

This will create a tag name prev (You can choose any name) of the present latest image.

This command should run before pushing the new image to Docker.

Convert SVN Project to Git Project

Here we are going to check how convert a SVN project to Git project in Local filesystem

Steps:

• Pre-requisite: Git to be preinstalled in your m/c
• Goto Command prompt & run below command
• git svn clone -r HEAD <SVN Codebase URL>
• This will create a folder with same name of app with  .git file

Semgrep

Semgrep is used for SAST tool.

Steps to get the SAST report:

1. Checkout the code in your local directory from Github.
2. Goto https://semgrep.dev/login/ & create the login
3. docker run -it returntocorp/semgrep semgrep login
4. Copy the URL provided in browser to Activate the token
5. From Command prompt navigate to local folder where code is checked out from Github
6. From command prompt copy the token & run below command with token
7. docker run -e SEMGREP_APP_TOKEN=<token> --rm -v "<local repo>:/src" returntocorp/semgrep semgrep ci
8. Check the report from SemGrep UI

Additional Info (For SVN repo):

Semgrep presently supports only Git project.

Hence if you are using SVN as code repository,  then first convert the SVN to Git project (Details in link http://souravdalal.blogspot.com/2024/01/convert-svn-project-to-git-project.html)

Once done, you can ran the above steps on the for generating the report.

In case you get a error like "Unable to infer repo_url. Set SEMGREP_REPO_URL environment variable or run in a valid git project with remote origin defined", then add the git repository using below command

git remote add origin https://github.com/<repo_name>

Incase, you want to dump the report to in local file then use below command

docker run -e SEMGREP_APP_TOKEN=<token> --rm -v "<local repo>:/src" returntocorp/semgrep semgrep ci > semrep_report.txt

Trivy Code Vulnerability report

Trivy provides Third party library vulnerability report along with security key exposure in your code.

The tool also provides the version in which the vulnerability is fixed.

You can use the below steps to get a report by checkout the code from your repo:

Go to https://github.com/aquasecurity/trivy/releases/download/v0.48.3/trivy_0.48.3_windows-64bit.zip

Download the zip

Extract the folder

Goto <Extracted Folder>\trivy_0.48.3_windows-64bit

Open command line from above folder

run the below command

trivy fs <codebase path in local m/c > <app_name_>sec_rpt.txt

Further reading:

https://trivy.dev/

How to manage Docker images in Github Packages

Instead of using Docker Hub, GitHub Container Registry can also be used for Image management.

You need to follow the below steps to do that:

1. Login to GHCR from Docker CLI using below command. Replace with your username & personal access token

docker login ghcr.io -u YOUR_GITHUB_USERNAME -p YOUR_PERSONAL_ACCESS_TOKEN

2. Build the Docker image locally

docker build -t ghcr.io/OWNER/IMAGE_NAME:TAG .

3. Push the docker image to GHCR

docker push ghcr.io/OWNER/IMAGE_NAME:TAG

Links for further readings:

https://cto.ai/blog/build-and-deploy-a-docker-image-on-ghcr/