1

I am trying to create DB logging appender, ch.qos.logback.classic.db.DBAppender this one to be exact. But from what I read, the DB Appender functionality was dropped from Logback some time ago, with no guarantee when it will be back.

https://jira.qos.ch/browse/LOGBACK-1609

Now from what I read, there was a vulnerability in there. But not sure what, because I wasn't able to find any info on it?

Now from what I understand, the newer Spring Boot versions come with Logback 1.2.11, and DBAppender was supported till 1.2.8 i believe.

So my question is:

  1. Is it safe to exclude the logback that comes with Spring Boot and use the older Logback without causing a risk?

  2. Is switching to log4j the best option? That has had its own issues with security this year!

hell_storm2004
  • 1,401
  • 2
  • 33
  • 66
  • Check the [docs](https://logback.qos.ch/manual/appenders.html#DBAppender) as it states "However, DBAppender for logback-classic is available under the following Maven coordinates: ch.qos.logback.db:logback-classic-db:1.2.11.1". It's also present as last comment in the ticket you linked. – Nico Van Belle Sep 26 '22 at 13:32
  • 1
    @NicoVanBelle But when I run with Spring boot defaults I keep getting the error `Could not create an Appender of type [ch.qos.logback.classic.db.DBAppender]. ch.qos.logback.core.util.DynamicClassLoadingException: Failed to instantiate type ch.qos.logback.classic.db.DBAppender` so probably spring boot uses something newer! – hell_storm2004 Sep 26 '22 at 14:28

0 Answers0