Adding log4j to build.gradle

java eclipse gradle log4j
11,252

Solution 1

I suppose I declared log4j in deprecated way (I took these lines from log4j manual).

Just because the manual/documentation says to do it one way doesn't necessarily mean it is accurate or correct. The documentation was likely written at the time where the compile configuration was not deprecated. With the the introduction of the implementation and api configurations, there is no need for the compile configuration.

Simply switch compile to implementation and the deprecation warning will go away.

implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.16.0'
implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.16.0'

Solution 2

If you stumble upon this answer check for non-vulnerable versions of log4j-core before copying and pasting.

As of writing, 2.16.0 was the only version considered non-vulnerable to JNDI lookup attacks which are extremelly easy to exploit. You can get more data on this CVE Report. And detailed information on all versions affected by different security vulnerabilities on this Apache security disclosure page.

Versions 1.x should be safe of this particular exploit but might be vulnearable to other exploits depending on version. It's also End of Life since August 5, 2015 and might be a bad idea to use it.

This said, on modern Gradle, "implementation" inside a "dependencies" section should be used to pull in this dependency.

An example would be:

implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.16.0' implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.16.0'

The "short" alternative:

implementation 'org.apache.logging.log4j:log4j-core:2.16.0'

More recent versions can be found here.

Share:
11,252

Related videos on Youtube

vico
Author by

vico

Updated on June 04, 2022

Comments

  • vico
    vico almost 2 years

    Trying to create simple Gradle Java project in my Eclipse. I'm using LOG4J library, so my build.gradle looks:

    plugins {
    // Apply the java-library plugin to add support for Java Library
    id 'java-library'
}

repositories {
    // Use jcenter for resolving dependencies.
    // You can declare any Maven/Ivy/file repository here.
    jcenter()
}

dependencies {
    compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.13.3'
    compile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.3'
    
    // This dependency is exported to consumers, that is to say found on their compile classpath.
    api 'org.apache.commons:commons-math3:3.6.1'

    // This dependency is used internally, and not exposed to consumers on their own compile classpath.
    implementation 'com.google.guava:guava:28.2-jre'

    // Use JUnit test framework
    testImplementation 'junit:junit:4.12'
}


    I added two lines in this file that I expect will allow to download log4j library:

    compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.13.3'
compile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.3'

    But looks this not help, because in case I build project with gradle I have compile errors.

    The compile configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 7.0. Please use the implementation or api configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/6.3/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
        at build_d9ael385qeshfiepcaw3797hi$_run_closure2.doCall(/home/a/Documents/workspace-sts/l4j/build.gradle:21)
        (Run with --stacktrace to get the full stack trace of this deprecation warning.)

> Task :compileJava FAILED

    I suppose I declared log4j in deprecated way (I took these lines from log4j manual). But how to declare log4j in build.gradle in order to use them in my project?

    Build command:

    ./gradlew build --refresh-dependencies --warning-mode all

    And my main class:

    package l4j;
import org.apache.log4j.Logger;
import org.apache.log4j.PropertyConfigurator;

public class aa {

    static Logger logger = Logger.getLogger(Log4jPropertiesConfigurationExample.class);
    public static void main(String[] args)
    {
        //PropertiesConfigurator is used to configure logger from properties file
        PropertyConfigurator.configure("log4j.properties");
 
        //Log in console in and log file
        logger.debug("Log4j appender configuration is successful !!");
    }

}
  • Cisco
    Cisco over 2 years
    I've updated my answer to point to 2.16.0 to avoid copy/paste a vulnerable version.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to configure another log4j configuration file in Tomcat?
where to put config.properties and log4j.xml in Eclipse
log4j.properties, where to put it
How to exclude dependencies of other subproject in Gradle build?
Gradle JAVA_HOME path in eclipse
java.lang.ClassNotFoundException: Cannot find implementation for
Gradle build folder not showing up after installing the Gradle Eclipse Plugin
'org.apache.commons.logging.impl.Log4JLogger' cannot be found
Could not run phased build action using gradle distribution - eclipse
log4j.properties not working in executable jar