Merge pull request #26 from SmartBear/merge-from-base

Merge from base

.github/workflows/build.yaml

@@ -20,19 +20,21 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        profile: ['', 'spring4']
+        profile: ['']
     steps:
     - name: Checkout
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
     - name: Cache
-      uses: actions/cache@v1
+      uses: actions/cache@v3
       with:
         path: ~/.m2
         key: m2
     - name: Set up JDK
-      uses: actions/setup-java@v1
+      uses: actions/setup-java@v3
       with:
-        java-version: 1.8
+        distribution: temurin
+        java-version: 17
+        cache: 'maven'
     - name: Compile
       run: ./mvnw clean test-compile -B
     - name: Test

README.md

@@ -5,7 +5,6 @@
 [![Stability: Active](https://masterminds.github.io/stability/active.svg)](https://masterminds.github.io/stability/active.html)
 ![Build Status](https://github.com/zalando/logbook/workflows/build/badge.svg)
 [![Coverage Status](https://img.shields.io/coveralls/zalando/logbook/main.svg)](https://coveralls.io/r/zalando/logbook)
-[![Code Quality](https://img.shields.io/codacy/grade/1304955ee1cb4597a37267aac596bcb3/main.svg)](https://www.codacy.com/app/whiskeysierra/logbook)
 [![Javadoc](http://javadoc.io/badge/org.zalando/logbook-core.svg)](http://www.javadoc.io/doc/org.zalando/logbook-core)
 [![Release](https://img.shields.io/github/release/zalando/logbook.svg)](https://github.com/zalando/logbook/releases)
 [![Maven Central](https://img.shields.io/maven-central/v/org.zalando/logbook-parent.svg)](https://maven-badges.herokuapp.com/maven-central/org.zalando/logbook-parent)
@@ -36,8 +35,8 @@ Logbook is ready to use out of the box for most common setups. Even for uncommon
 - JAX-RS 2.x Client and Server (optional)
 - Netty 4.x (optional)
 - OkHttp 2.x **or 3.x** (optional)
-- Spring 4.x **or 5.x** (optional)
-- Spring Boot 1.x **or 2.x** (optional)
+- Spring 5.x** (optional)
+- Spring Boot 2.x** (optional)
 - Ktor (optional)
 - logstash-logback-encoder 5.x (optional)
 
@@ -465,6 +464,33 @@ The Common Log Format ([CLF](https://httpd.apache.org/docs/trunk/logs.html#commo
 185.85.220.253 - - [02/Aug/2019:08:16:41 0000] "GET /search?q=zalando HTTP/1.1" 200 -
 ```
 
+##### Extended Log Format
+
+The Extended Log Format ([ELF](https://en.wikipedia.org/wiki/Extended_Log_Format)) is a standardised text file format, like Common Log Format (CLF), that is used by web servers when generating log files, but ELF files provide more information and flexibility. The format is supported via the `ExtendedLogFormatSink`.
+Also see [W3C](https://www.w3.org/TR/WD-logfile.html) document.
+
+Default fields:
+
+```text
+date time c-ip s-dns cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes time-taken cs-protocol cs(User-Agent) cs(Cookie) cs(Referrer)
+```
+
+Default log output example:
+
+```text
+2019-08-02 08:16:41 185.85.220.253 localhost POST /search ?q=zalando 200 21 20 0.125 HTTP/1.1 "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0" "name=value" "https://example.com/page?q=123"
+```
+
+Users may override default fields with their custom fields through the constructor of `ExtendedLogFormatSink`:
+
+```java
+new ExtendedLogFormatSink(new DefaultHttpLogWriter(), "date time cs(Custom-Request-Header) sc(Custom-Response-Header)")
+```
+
+For Http header fields: `cs(Any-Header)` and `sc(Any-Header)`, users could specify any headers they want to extract from the request.
+
+Other supported fields are listed in the value of `ExtendedLogFormatSink.Field`, which can be put in the custom field expression.
+
 ##### cURL
 
 *cURL* is an alternative formatting style, provided by the `CurlHttpLogFormatter` which will render requests as 
@@ -640,7 +666,15 @@ client.execute(producer, new LogbookHttpAsyncResponseConsumer<>(consumer), callb
 
 ### HTTP Client 5
 
-The `logbook-httpclient5` module contains both an `HttpRequestInterceptor` and an `HttpResponseInterceptor` to use with the `HttpClient`:
+The `logbook-httpclient5` module contains an `ExecHandler` to use with the `HttpClient`:
+```java
+CloseableHttpClient client = HttpClientBuilder.create()
+        .addExecInterceptorFirst("Logbook", new LogbookHttpExecHandler(logbook))
+        .build();
+```
+The Handler should be added first, such that a compression is performed after logging and decompression is performed before logging.
+
+To avoid a breaking change, there is also an `HttpRequestInterceptor` and an `HttpResponseInterceptor` to use with the `HttpClient`, which works fine as long as compression (or other ExecHandlers) is not used:
 
 ```java
 CloseableHttpClient client = HttpClientBuilder.create()
@@ -676,6 +710,18 @@ client.register(new LogbookClientFilter(logbook));
 resourceConfig.register(new LogbookServerFilter(logbook));
 ```
 
+### JDK HTTP Server
+
+The `logbook-jdkserver` module provides support for
+[JDK HTTP server](https://docs.oracle.com/javase/8/docs/jre/api/net/httpserver/spec/com/sun/net/httpserver/HttpServer.html)
+and contains:
+
+A `LogbookFilter` to be used with the builtin server
+
+```java
+httpServer.createContext(path, handler).getFilters().add(new LogbookFilter(logbook))
+```
+
 ### Netty
 
 The `logbook-netty` module contains:
@@ -722,7 +768,7 @@ The `logbook-okhttp2` module contains an `Interceptor` to use with version 2.x o
 
 ```java
 OkHttpClient client = new OkHttpClient();
-client.networkInterceptors().add(new LogbookInterceptor(logbook);
+client.networkInterceptors().add(new LogbookInterceptor(logbook));
 ```
 
 If you're expecting gzip-compressed responses you need to register our `GzipInterceptor` in addition.
@@ -731,7 +777,7 @@ logbook to log compressed binary responses.
 
 ```java
 OkHttpClient client = new OkHttpClient();
-client.networkInterceptors().add(new LogbookInterceptor(logbook);
+client.networkInterceptors().add(new LogbookInterceptor(logbook));
 client.networkInterceptors().add(new GzipInterceptor());
 ```
 

cve-suppressions.xml

@@ -1,44 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <cve>CVE-2018-1258</cve>
-        <!-- Version clause doesn't match netty -->
-        <cve>CVE-2019-10797</cve>
-        <cve>CVE-2019-12814</cve>
-        <cve>CVE-2020-5421</cve>
-        <cve>CVE-2020-7712</cve>
-        <cve>CVE-2020-10663</cve>
-        <cve>CVE-2020-15824</cve>
-    </suppress>
-
-    <!--
-        False positive; matches old netty version.
-        See https://github.com/jeremylong/DependencyCheck/issues/3830
-    -->
-    <suppress>
-        <!-- language=regex -->
-        <packageUrl regex="true">pkg:maven\/io\.netty\.incubator\/netty-incubator-codec-(classes|native)-quic@0\.0\.24\.Final</packageUrl>
-        <cve>CVE-2014-3488</cve>
-        <cve>CVE-2015-2156</cve>
-        <cve>CVE-2019-16869</cve>
-        <cve>CVE-2019-20444</cve>
-        <cve>CVE-2019-20445</cve>
-        <cve>CVE-2021-37136</cve>
-        <cve>CVE-2021-37137</cve>
-        <cve>CVE-2021-21290</cve>
-        <cve>CVE-2021-21295</cve>
-        <cve>CVE-2021-21409</cve>
-        <cve>CVE-2021-43797</cve>
-    </suppress>
-
-    <suppress>
-        <!-- Related to SecurityContext, which Logbook never uses. -->
-        <cve>CVE-2021-22112</cve>
-        <cve>CVE-2021-22118</cve>
-    </suppress>
-
-    <suppress>
-      <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring-security-core@4\..*\.RELEASE$</packageUrl>
-      <vulnerabilityName>BREACH attack possible in CSRF tokens</vulnerabilityName>
-    </suppress>
+        <suppress>
+            <cve>CVE-2021-37533</cve>
+            <!-- Suppressing until the migration to Spring Framework 6-->
+            <cve>CVE-2016-1000027</cve>
+            <!-- False positive -->
+            <cve>CVE-2020-5408</cve>
+            <!-- Okhttp2 module uses the latest version of okhttp. The vulnerability is in OkHostnameVerifier.java, which is not used in this library -->
+            <cve>CVE-2021-0341</cve>
+            <!-- ktor requires a major upgrade. Suppressing until then -->
+            <cve>CVE-2021-4277</cve>
+            <!-- so far jackson-core and json-path don't have bugfix releases yet for that cve -->
+            <cve>CVE-2022-45688</cve>
+        </suppress>
+        <suppress>
+            <notes><![CDATA[
+            suppress CVE-2022-45688 only to pkg:maven/org.json/json
+            ]]></notes>
+            <packageUrl regex="true">^(?!pkg:maven/org\.json/json@).+$</packageUrl>
+            <!-- Suppressing until https://github.com/jeremylong/DependencyCheck/issues/5502 has been solved -->
+            <cve>CVE-2022-45688</cve>
+        </suppress>
 </suppressions>

logbook-api/pom.xml

@@ -18,7 +18,7 @@
         <dependency>
             <groupId>org.organicdesign</groupId>
             <artifactId>Paguro</artifactId>
-            <version>3.1.4</version>
+            <version>3.10.3</version>
         </dependency>
     </dependencies>
 </project>