Restore CI/CD

[davideicardi]

It looks like Travis CI doesn't work anymore. How we can restore it?
Can we eval to use github actions instead?

It is important to also release the new docker image with Log4J vulnerability fix.

@ekoutanov do you have any suggestion?

[cemeyer2]

for now, I wrote my own dockerfile and pushed it to a private ECR to unblock. Not the most elegant but works for now until an official image is pushed

FROM openjdk:11 AS builder

RUN mkdir /app && cd /app && \
    wget https://github.com/obsidiandynamics/kafdrop/archive/refs/heads/master.zip && \
    unzip master.zip && \
    cd /app/kafdrop-master && \
    ./mvnw -DskipTests package assembly:single && \
    mkdir /kafdrop && \
    cp /app/kafdrop-master/target/kafdrop*tar.gz /kafdrop.tar.gz && \
    cp /app/kafdrop-master/target/docker-ready/kafdrop.sh / && \
    chmod +x /kafdrop.sh

FROM openjdk:11
COPY --from=builder /kafdrop.tar.gz /
COPY --from=builder /kafdrop.sh /
RUN tar xvf /kafdrop.tar.gz
CMD ["/kafdrop.sh"]

[davideicardi]

Thank you @cemeyer2 , I have done something similar also for myself. But I have used mvn assembly:single docker:build, that, as described here, can create the docker image using the official workflow.
In the following days I will try to investigate how to fix CI/CD and hope to fix it soon...

[ecetiner87]

Thank you @cemeyer2 and @davideicardi for this help. We built the image from related dockerfile that @cemeyer2 shared and it works properly. Security scan is also passed. Much appreciated.

[niqbal]

@davideicardi i tried your approach , however I am noticing that i still get this spring-boot-starter-log4j2-2.6.1.jar which is marked as vulnerable in the maven repository:
https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-log4j2/2.6.1

The log4j jars have been upgraded, so i dont think it should be an issue, but wanted to confirm.

root@kafdrop-596d547c7-tgmb4:/# find .  | grep jar | grep log4j  | xargs ls -al 
-rw-r--r-- 1 501 dialout  301776 Dec 24 15:44 ./kafdrop-3.28.0-SNAPSHOT/lib/log4j-api-2.17.0.jar
-rw-r--r-- 1 501 dialout 1789339 Dec 24 15:44 ./kafdrop-3.28.0-SNAPSHOT/lib/log4j-core-2.17.0.jar
-rw-r--r-- 1 501 dialout   30966 Dec 24 15:44 ./kafdrop-3.28.0-SNAPSHOT/lib/log4j-jul-2.17.0.jar
-rw-r--r-- 1 501 dialout   24252 Dec 24 15:44 ./kafdrop-3.28.0-SNAPSHOT/lib/log4j-slf4j-impl-2.17.0.jar
-rw-r--r-- 1 501 dialout    4773 Dec 24 15:44 ./kafdrop-3.28.0-SNAPSHOT/lib/spring-boot-starter-log4j2-2.6.1.jar

[davideicardi]

@niqbal I think it is a false positive, because we have declared <log4j2.version>2.17.0</log4j2.version> to override log4j version. Anyway updating also spring-boot-starter-log4j2 is not a bad idea...
What do you think @ekoutanov and @mcs ?

[mcs]

I suggest deleting the log4j property and update to Spring Boot 2.6.2 which also increments the spring-boot-starter-log4j2 to version 2.6.2

[davideicardi]

See #324 PR to update spring boot.

[kbudde]

See #325 PR for release action.

[davideicardi]

Closed via #325 . Published new docker image 3.28.0-SNAPSHOT