Adding log4j to build.gradle

Question

Trying to create simple Gradle Java project in my Eclipse. I'm using LOG4J library, so my build.gradle looks:

plugins {
    // Apply the java-library plugin to add support for Java Library
    id 'java-library'
}

repositories {
    // Use jcenter for resolving dependencies.
    // You can declare any Maven/Ivy/file repository here.
    jcenter()
}

dependencies {
    compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.13.3'
    compile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.3'
    
    // This dependency is exported to consumers, that is to say found on their compile classpath.
    api 'org.apache.commons:commons-math3:3.6.1'

    // This dependency is used internally, and not exposed to consumers on their own compile classpath.
    implementation 'com.google.guava:guava:28.2-jre'

    // Use JUnit test framework
    testImplementation 'junit:junit:4.12'
}

I added two lines in this file that I expect will allow to download log4j library:

compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.13.3'
compile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.3'

But looks this not help, because in case I build project with gradle I have compile errors.

The compile configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 7.0. Please use the implementation or api configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/6.3/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
        at build_d9ael385qeshfiepcaw3797hi$_run_closure2.doCall(/home/a/Documents/workspace-sts/l4j/build.gradle:21)
        (Run with --stacktrace to get the full stack trace of this deprecation warning.)

> Task :compileJava FAILED

I suppose I declared log4j in deprecated way (I took these lines from log4j manual). But how to declare log4j in build.gradle in order to use them in my project?

Build command:

./gradlew build --refresh-dependencies --warning-mode all

And my main class:

package l4j;
import org.apache.log4j.Logger;
import org.apache.log4j.PropertyConfigurator;

public class aa {

    static Logger logger = Logger.getLogger(Log4jPropertiesConfigurationExample.class);
    public static void main(String[] args)
    {
        //PropertiesConfigurator is used to configure logger from properties file
        PropertyConfigurator.configure("log4j.properties");
 
        //Log in console in and log file
        logger.debug("Log4j appender configuration is successful !!");
    }

}

Answer 1

I suppose I declared log4j in deprecated way (I took these lines from log4j manual).

Just because the manual/documentation says to do it one way doesn't necessarily mean it is accurate or correct. The documentation was likely written at the time where the compile configuration was not deprecated. With the the introduction of the implementation and api configurations, there is no need for the compile configuration.

Simply switch compile to implementation and the deprecation warning will go away.

implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.13.3'
implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.3'

Answer 2

If you stumble upon this answer check for non-vulnerable versions of log4j-core before copying and pasting.

As of writing, 2.16.0 was the only version considered non-vulnerable to JNDI lookup attacks which are extremelly easy to exploit. You can get more data on this CVE Report . And detailed information on all versions affected by different security vulnerabilities on this Apache security disclosure page .

Versions 1.x should be safe of this particular exploit but might be vulnearable to other exploits depending on version . It's also End of Life since August 5, 2015 and might be a bad idea to use it.

This said, on modern Gradle, "implementation" inside a "dependencies" section should be used to pull in this dependency.

An example would be:

implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.16.0' implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.16.0'

The "short" alternative:

implementation 'org.apache.logging.log4j:log4j-core:2.16.0'

More recent versions can be found here .