• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

log4j exclusion - Maven

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We have removed log4j version 1.2.17 dependency from the pom.xml file while generating the war we still see the log4j dependency in the war file.

We are using slf4j-log4j12 version 1.2.37 for logger. We ran the maven dependency tree and found the transient dependency.

We have used the exclusion to remove the log4j dependency but still the log4j getting added in the war file.

Attached the dependency for your reference.



Maven dependency tree


Please help how to remove the log4j dependency.
 
Ranch Hand
Posts: 159
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That is log4j 1.2. It was not affected by the vulnerability. Only Log4j version 2 is affected.
 
Sheriff
Posts: 22815
132
Eclipse IDE Spring Chrome Java Windows
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Eduardo Bueno wrote:That is log4j 1.2. It was not affected by the vulnerability. Only Log4j version 2 is affected.


True, but Log4J 1 has been EOL for years already, and has its own vulnerabilities. I think that you're still safe as long as you don't use a JMS or SMTP appender.

Anyways, slf4j-log4j12 has only one simple task - provide an SLF4J implementation backed by Log4J 1. If you don't want to include Log4J 1, excluding it from slf4j-log4j12 is not the way to go. That's just NoClassDefFoundErrors waiting to happen. Instead, just remove the entire slf4j-log4j12 dependency. I'd replace it with another implementation, like logback-classic or slf4j-jdk14, otherwise you won't have any logging at all.
 
rubbery bacon. crispy tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic