1

So I've seen other posts (eg. Can't use hbase-shaded-client jar because of its internal dependency to log4j-1.2.17(CVE-2019-1757)) stating that they have a way to exclude the transitive dependency of log4j:log4j:1.2.17 however if I run ./gradlew app:dependencies I can still see that the transitive dependency exists.

enter image description here

I have tried referring to the following migration doc https://logging.apache.org/log4j/2.x/manual/migration.html but Im not sure if this is just transferring the calls over from log4j 1.x over to 2.x at runtime or if its supposed to update the transitive dependency all together. I tried even excluding the transitive dependency and using slf4j instead in my build.gradle file like so:

compile ('custom-library-that-I-cant-change-code-in'), {
            exclude group: 'log4j', module: 'log4j'
        }
// https://mvnrepository.com/artifact/org.slf4j/log4j-over-slf4j
implementation 'org.slf4j:log4j-over-slf4j:1.7.35'

How can I make sure if this is even working, or at least not using that older log4j:log4j:1.2.17 or am I going about this all wrong and there is an easier way of doing this

Konstantin Annikov
  • 11,655
  • 4
  • 27
  • 40
c.s_._._
  • 63
  • 10

1 Answers1

0

To answer you first question the following exclude wasn't working for me as well,

compile ('custom-library-that-I-cant-change-code-in'), {
            exclude group: 'log4j', module: 'log4j'
        }

try this in your build.gradle it should work

configurations {
    compile.exclude group: "log4j", module: "log4j"
}
Abhijeet Raj
  • 3
  • 2
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Sep 20 '22 at 06:09