Remove old log4j dependency from Grails

Question

After having some problems to update log4j in a Grails 2.4 project (which I don't think I have accomplised yet, btw)

Update log4j in Grails 2.4 results in "Could not transfer artifact from/to grailsCentral"

Now I am finding problems to get rid of the old log4j version from the dependency list.

Interestingly enough, Grails 2.4.2 documentation explains how to exclude precisely log4j from the global set:

https://grails.github.io/grails2-doc/2.4.2/guide/conf.html#logging

So, this is my dependency resolution section:

grails.project.dependency.resolution = {   
 inherits("global") {
     excludes "grails-plugin-logging", "log4j"
 }
 log "verbose" // log level of Ivy resolver, either 'error', 'warn', 'info', 'debug' or 'verbose'
 checksums true // Whether to verify checksums on resolve
 legacyResolve false // whether to do a secondary resolve on plugin installation, not advised and here for backwards compatibility

 repositories {
    inherits true // Whether to inherit repository definitions from plugins
    grailsPlugins()
    grailsHome()
    mavenLocal()        
    //grailsCentral()
    //mavenCentral()

    mavenRepo 'https://repo.grails.org/grails/plugins'
    mavenRepo 'https://repo1.maven.org/maven2/'
    mavenRepo 'https://repo.maven.apache.org/maven2/'
 }

 dependencies {
    ...
    compile "org.apache.logging.log4j:log4j-core:2.17.1"
    compile "org.apache.logging.log4j:log4j-api:2.17.1"
 }

 plugins {
    // plugins for the build system only
    ....
 }
}

However, after cleaning and building again my application, if a run a dependency-report, log4j-1.2.17 still shows there.

Even more, as I've said before, something tells that I am neither using the new version of log4j. But I don't know how to test it.

If I put this in the "excludes":

inherits("global") {
     excludes "grails-plugin-log4j", "grails-plugin-logging", "log4j"
}

Then build fails because

[groovyc] groovy.lang.GroovyRuntimeException: Unable to load logging class

which I guess it's related with the myriad of default Grails files that have this line:

import groovy.util.logging.Log4j

I am starting to think that updating log4j version is next to impossible in Grails. In my opinion, with the last CVE regarding log4j (even though this version is not affected), they should have released some document explaining how to update to the last version.

Does someone know how to do this properly?

Answer 1

I am trying to do this myself. I am in progress, but it looks so far like you are missing an important piece... From the Log4J documentaion:

Optional Components Log4j 2.x contains several optional components that can be included in an application.

Log4j 1.x API Bridge If existing components use Log4j 1.x and you want to have this logging routed to Log4j 2, then remove any log4j 1.x dependencies and add the following.

[various include types are below]

https://logging.apache.org/log4j/2.x/maven-artifacts.html