ProM and the Log4j vulnerability
Various releases of ProM contain version 2.8.1 of log4j which, in itself, is vulnerable. However, ProM itself is not vulnerable.
ProM contains log4j only for the sake of the Google Analytics feature, which allows you as a user to let us know which plugins you actually use. This feature can be enabled and disabled using the Package Manager. If you disable this feature, ProM will not use log4j. If you really want to be sure, disable this feature and simply remove the three log4j libraries from the lib folder of ProM.
ProM runs as an application, and not as a server. Only the Google Analytics feature can use the log4j in ProM, so only messages generated by the Google Analytics will be logged by log4j. The user cannot inject his/her own strings into these messages.
A new version of the ProM framework is available in the nightly builds as of December 16 (Nightly build of Thursday, 16.12.2021, 11:04:44). This version contains version 2.16.0 of log4j, which fixes the vulnerability. If needed, you can download this (or a later) nightly build, and replace the three log4j-*-2.8.1.jar files in the “lib” folder (and, if applicable, in the packages/prom-framework-* folder as well) with the three log4j-*-2.16.0.jar files of this nightly build. After this patch, ProM will use log4j version 2.16.0, which does not contain the vulnerability.
Java 9 or later
There are two issues with ProM 6 o Java 9 or later: The boot class loader and XML binding.
The system class loader
As from Java 9, the system class loader is not a URLCLassLoader any more. To be able to load its packages, ProM 6 needs to extend the classpath. This can be done with a URLClassLoader using reflection. In Java 9, as the system class loader is not a URLClassLoader, this fails.
ProM 6 now comes with its own class loader, ProMClassLoader, which is a URLClassLoader. To tell Java to use ProMClassLoader as the system class loader, the following option should be passed onto the Java VM:
-Djava.system.class.loader=org.processmining.framework.util.ProMClassLoader
XML bindings
As from Java 9, there is no support included in Java for XML bindings. As a result, loading an event log may fail because, for example, date conversions do not work. To fix this, please make sure you have the JAXB package installed in ProM 6.
Running ProM (or the Package Manager )
Exception in thread “main” java.lang.UnsupportedClassVersionError: </some/path/to/a/class/file> : Unsupported major.minor version 51.0
You’re trying to run ProM 6.X using a Java version 6 or earlier. ProM 6.X requires Java 7 or better. The major.minor version 51.0 corresponds to Java 7 class files, which cannot be read by Java 6 or earlier.
I have Java 7 for sure
If installed without an embedded JRE7, ProM 6.X just uses “java” in the bat and sh files, that is, it relies on the underlying system to find it a version of Java. If you know that you have installed Java 7 in (for example) the folder “C:\Program Files\Java\jdk1.7.0_67”, then please edit both bat or sh files and replace java with “C:\Program Files\Java\jdk1.7.0_67\bin\java”. Please note the double quotes here, they’re necessary because of the white space in the path in between Program and Files.
Java virtual machine could not be created
Please check the amount of memory assigned to the Java VM running ProM 6.X. If you are running ProM from the ProM6X.exe file (Windows), this amount can be found in the ProM6X.l4j.ini file, if you are running ProM 6.X from a bat (Windows) or sh file (Linux, Mac), then this amount can be found in the ProM[PM]6X[PM].bat or ProM[PM}6X[PM].sh file. Open the file in some text editor, and look for the fragment “-Xmx”. Typically this fragment looks like “-Xmx1G”, in which case 1 Gb of memory will be assigned to the VM. Using the editor, change this amount to an amount that fits your platform. For example, if you only have 2 Gb of memory, do not try “-Xmx4G”.
Could not find the main class: org.processmining.context.uitopia.UI. Program will exit
When running ProM 6.5.1 using the bat (Windows) or sh (Linux, Mac) files, make sure that you start it from the folder where you have installed ProM 6.5.1. When run from a different folder, the Java VM will not find the ProM jar file containing the main class file.
Running ProM 6.5.1 on a Mac
An Application bundle has been created in order to make execution of ProM 6.5.1 in Mac OSX easier. However, the native libraries contained in it (lpsolve and dot) are only available for Mac 10.9 and newer. For older versions of Mac (10.8 and previous versions) the ProM framework can still be used, but some plugins will fail (like Inductive Visual Miner or ILP miner among others).
The bundle can be downloaded from this URL:
https://www.promtools.org/prom6/downloads/prom-6.5.1-mac.zip
Follow the following steps:
- Download the Application Bundle from: https://www.promtools.org/prom6/downloads/prom-6.5.1-mac.zip
- Unzip the file (double clicking on it).
- Drag the Application file (ProM651) wherever you want to store it (Applications folder for instance).
- Execute ProM by double clicking on the application.
- Select to launch the Package Manager.
- The ProM 6.5.1 Package Manager now opens, and should show the “Not installed” tab with the “RunnerUpPackages” preselected. If not, please go to this tab and select it by hand.
- Select “Install”. The Package Manager will now install all required packages.
- Close the Package Manager.
- Close the remaining window with the progress bar by clicking on “Quit”.
- Open the application again and choose “Cancel” when asked about Package Manager.
- ProM will open and you will be ready to start working.
If you are still having trouble with the install of ProM6.5.1 on a Mac, you may need to update java.
http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
At least one variant has to be specified
These messages are usual when starting ProM 6.5.1, and harmless. Nothing to worry about.
Proxy issues
If you are running ProM 6.X while connected to a network behind an HTTP proxy, you will need to specify your proxy settings in ProM6X.l4j.ini (windows exe), ProM[PM]6X[PM].bat (Windows bat), and ProM[PM]6X[PM].sh (Linux, Mac).
To do this, specify your proxy host and port settings via the http.proxyHost, http.proxyPort, http.proxyUser, and http.proxyPassword system properties. For example, if your proxy host is your.proxy.host.com, proxy port is 8000, your user name is yourUserName, and your password is yourPassword, the java command at the bottom of the ProM651.sh file will look something like this:
java -classpath ${CP} -da -Djava.library.path=${LIBDIR} -Dhttp.proxyHost=your.proxy.host.com -Dhttp.proxyPort=8000 -Dhttp.proxyUser=yourUserName -Dhttp.proxyPassword=yourPassword -Djava.util.Arrays.useLegacyMergeSort=true -Xmx1G -XX:MaxPermSize=256m ${MAIN}
Local repository for ProM Lite 1.1 users
To alleviate possible problems with proxies for ProM Lite 1.1 users, we have a zip archive available for the package repository of ProM Lite 1.1. This zip archive can be downloaded from https://www.promtools.org/prom6/downloads/prom-lite-1.1-local.zip.
Once downloaded, please extract its contents (a folder named packageslite11 and a file named ProM.ini) into the folder where you have installed ProM Lite 1.1. As a result, the ProM.ini file as created by the ProM Lite 1.1 installer will be overwritten by the ProM.ini file from the zip archive, but that’s how it should be. Then start ProM Lite 1.1, which will then install all packages from the local packageslite11 folder, instead of from the internet. As a result, you should not have any firewall or proxy issues when running ProM Lite 1.1.
The downside of using the solution is that you will not get any package updates. If we fix a bug in a relevant package, then we will of course update our package repository, which will then be available to any ProM Lite 1.1 users that actually use this repository, but not to you as you will be using a local copy of the repository.
DIY local repository
<note tip>The package repository of the ProM Nightly Build can also be copied to a local folder on your computer, and ProM can be instructed to use your local repository instead of our remote repository.</note> <note warning>Be aware, however, that the local repository requires approx. 25 GB of space.</note>
There are two ways of creating a copy from our remote ProM Nightly Build package repository: Using wget and using svn.
Using wget
Create a local folder for your repository, and execute the following command in that folder:
wget -r -l 0 https://packages.promtools.org/
This will download the ProM Nightly Build repository into your local folder.
Using svn
Create a local folder for your repository, and execute the following command in that folder:
svn checkout https://svn.win.tue.nl/repos/prom/Releases/Packages
This will do an initial checkout of the ProM Nightly Build repository into your local folder. If later on you want to update this local copy, you can execute:
svn update
in your local folder.
Using the local folder
Say you now have created a local repository in the local folder (assuming Windows here, mutatis mutandis for other OSs) C:\ProM\myRepo
. Then change the line containing PACKAGE_URL
in the ProM.ini
file to the following:
PACKAGE_URL = file:///C:/ProM/myRepo
This will make ProM and the ProM Package Manager use the repository in your local folder as the repository to install packages from. <note>As a result, when ProM or the ProM Package Manager starts, it will use a local repository instead of our remote repository. This local repository contains relative URLs for downloading the packages, and also relative URLs for the majority of the package icons. However, for some packages, it still contains absolute URLs, and to download these icons, the ProM Package Manager still needs an internet connection. ProM itself does not use these icons, and hence does not require an internet connection to download these icons.</note> <note important>Note that for this DIY local repository to work, you need at least revision 6.9.70 of the ProM framework, which is included in the ProM Nightly Build as of July 18. Older revisions of the framework cannot handle the current ProM Nightly Build repository, or a copy thereof.</note>
Installing packages
The installation hangs at the downloading stage of the package DataPetriNets.
The DataPetriNets package is quite big, and it will take some tike to download, please be patient.
All packages have been installed, but some plug-ins do not show
The most likely explanation for missing plug-ins is that the maiden run of ProM 6.X has failed. As a result, the plug-in cache of ProM is not correct. To fix this, please remove the following folder in your Windows registry (use “regedit” in the Start Menu to start the registry editor):
Computer\HKEY_CURRENT_USER\Software\JavaSoft\Prefs\org\processmining\framework\plugin\impl
If running ProM 6.6. or later, you can also start the Package Manager and select the Clear Cache button, which has the same effect.
Then start ProM again, preferrably (I really advice to do this) by running the ProM6X.bat file. This should renew the cache.
In case you’re running ProM 6.X on Linux or Mac, your preferences file may be stored in your home directory (~/Library/Preferences/). The system preferences are stored in /Library/Preferences/ and are only persisted to disk if you are an administrator.
The maiden run of ProM 6.X needs to check all libraries that come with ProM 6.X for plug-ins. As a result, all these libraries need to be loaded, which requires a lot of space in the so-called Java Permanent Generation memory. The default setting for this memory is typically too low, that’s why the ProM6X.bat file contains the following option:
-XX:MaxPermSize=256m
which sets the limit of this memory to a higher value, which should be fine. Later runs of ProM 6.X do not need to scan all libraries, as the cache contains information on which libraries contain plug-ins. Only these libraries will be scanned in a later run.
By removing the folder from the registry, the next run of ProM 6.X will be a new maiden run.
An installation procedure that should work
- Remove the folder where you have installed ProM 6.X.
- Remove the C:\Users\<username>\.ProM6X folder.
- Start the Windows Registry Editor by entering “regedit” in the Start Menu.
- In the Registry Editor, remove the folder “impl” from the folder “HKEY_CURRENT_USER/Software/JavaSoft/Prefs/org/processmining/framework” (select the “impl” folder, right-click, and select “Delete”).
- Close the Registry Editor.
The relevant data on a previous installed version of ProM 6.X is now gone. Step 1 has removed the core software, step 2 the installed packages, and steps 3 to 5 the cache containing information which packages contain plug-ins. Now, we can install ProM 6.X again:
- Install ProM 6.X using the installer, as usual.
- Open a Command Prompt by enter “cmd” in the Start Menu.
- In this Command Prompt, go to the folder where you have installed ProM 6.X.
- Enter “ProMPM6X.bat” (or ProM6X[PM].bat for ProM 6.5.1 and earlier). This starts the ProM 6.X Package Manager.
- If not selected by default, select the “RunnerUpPackages” entry on the “Not installed” tab.
- Select the Install button. This will install all packages. More on packages later.
- When done, close the Package Manager.
- In the same Command Prompt, enter “ProM6X.bat”. This starts ProM 6.X.
ProM 6.X now needs to check all packages for plug-ins, which may take some time. When done, the ProM 6.X window will appear. A next time you start ProM 6.X, this checking for plug-ins will go faster as relevant information is cached in the “impl” folder you have deleted in step 3 to 5.
Dot/GraphViz does not work
- Remove the .prom-graphviz folder which is in the <YourUserFolder>\AppData\Local\Temp folder on most Windows machines. Please do not only remove the contents of this folder, but the folder itself as well.
Dot/GraphViz uses the binaries that are copied into that .prom-graphviz folder if that folder does not yet exist. By removing the folder, you force ProM to copy the binaries again into that folder. Typically, this solves the problem.