Drop loci_tools uber JAR

[sbesson]

See ome/www.openmicroscopy.org#555

This uber-JAR has been deprecated for almost a decade (superseded by bioformats_package.jar) and was solely maintained for backwards-compatibility.

Following Log4Shell (CVE-2021-44228), a security advisory was opened against this bundle - see 2021-SV4. The current workaround is to use the logback-based bioformats_package bundle.

For the next release of Bio-Formats, the proposal is to completely get rid of this bundle and the log4j dependency:

• remove https://github.com/ome/bioformats/blob/develop/components/bundles/loci_tools
• review remaining mentions of log4j in the code base
• review documentation

[imagesc-bot]

This issue has been mentioned on Image.sc Forum. There might be relevant details there:

https://forum.image.sc/t/cve-2021-44228-log4shell-assessment-for-omero-bio-formats/61032/1

[ctrueden]

I looked for remaining references to loci_tools.jar. I fixed a couple of them (imagej/imagej.github.io@ad94a88, fiji/fiji@3428cdb, uw-loci/loci-scripts@bea4a2e). Here are the remaining ones I found but did not fix:

Vaa3D

https://github.com/Vaa3D/v3d_external

v3d_main/build.macx:#if [ -f bin/plugins/64bit/imageIO/load_image_using_Bioformats/loci_tools.jar ]; then
v3d_main/io/io_bioformats.cpp:    //look for loci_tools.jar
v3d_main/io/io_bioformats.cpp:        lociLibPath = getAppPath().append("/").append("loci_tools.jar");
v3d_main/io/io_bioformats.cpp:        lociLibPath = QFileDialog::getOpenFileName(0, QObject::tr("select the library of Bioformats Java library (loci_tools.jar)"),
v3d_main/io/io_bioformats.cpp:            v3d_msg("Cannot find loci_tools.jar, please download it and make sure it is put under the Vaa3D executable folder, parallel to the Vaa3D executable and the plugins folder.");

Orbit

https://github.com/mstritt/orbit-image-analysis

src/main/java/com/actelion/research/orbit/imageAnalysis/utils/ImageProcessorReader.java:// Decompiled from loci_tools.jar (http://www.loci.wisc.edu/bio-formats/downloads)
src/main/java/com/actelion/research/orbit/imageAnalysis/utils/ImageProcessorReader.java:/* Location:           D:\dev\Java\OrbitImageAnalysis\lib\loci_tools.jar

Microscopy Image Browser (MIB)

https://github.com/Ajaxels/MIB

ImportExportTools/BioFormats/bfopen3.m:%     to loci_tools.zip. If this happens, rename it back to loci_tools.jar.
ImportExportTools/BioFormats/selectLociSeries.m:%        (e.g., C:/Program Files/MATLAB/work/loci_tools.jar).
ImportExportTools/BioFormats/selectLociSeries.m:%     if ~isempty(strfind(javapath{i},'loci_tools.jar'))
ImportExportTools/BioFormats/selectLociSeries.m:%     javaaddpath(fullfile(fileparts(mfilename('fullpath')),'loci_tools.jar'));

python-bioformats

https://github.com/CellProfiler/python-bioformats

bioformats/formatreader.py:    # This uses the reader.txt file from inside the loci_tools.jar
bioformats/formatwriter.py:    # This uses the writers.txt file from inside the loci_tools.jar
bioformats/metadatatools.py:        # Post loci_tools 4.2
bioformats/metadatatools.py:        # Post loci_tools 4.2 - use ome.xml.model.DimensionOrder
docs/index.rst:The javabridge package must be used to start the JVM with loci_tools.jar
setup.cfg:classpath = bioformats/jars/loci_tools.jar

[jburel]

cc @mstritt

[joshmoore]

see: CellProfiler/python-bioformats#152

[bethac07]

FWIW, it looks like since 2020 python-bioformats has been using bioformats_package.jar (so all versions of CellProfiler 4 should be good in that regard); it looks like other than setup.cfg (which apparently hasn't been touched in 8 years(!)), all of those are just comments which were not updated. I'll dig out those legacy comments.

CellProfiler/python-bioformats@ad5df31#diff-f6e62418513760b4fb33dfae61cee65ed1e975085ed1a30f9945b1b30e76872a

[joshmoore]

Thanks, @bethac07! There now definitely seems to be an aversion to anything that matches git grep log4j regardless of the impact.