Search code examples
springspring-bootlog4j

Getting Log4j-bom-2.12.1 in spring-boot after upgrading to 2.17.1

In prod, our project uses Spring Boot 2.2.6.RELEASE version. To migrate from Log4j-2.12.1, I followed the official spring suggestion and have added this in pom.xml <log4j2.version>2.17.1</log4j2.version> and also tried adding log4j-bom version in dependency management

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-bom</artifactId>
            <version>2.17.1</version>
            <scope>import</scope>
            <type>pom</type>
        </dependency>
        ... other dependencies including spring-boot-dependencies
    </dependencies>
</dependencyManagement>

When a build for the project is created the jar contains only log4j-2.17.1 version jars but during build its downloading log4j-bom-2.12.1 version.

Our infra team has restricted downloading of version 2.12.1 and thus builds are failing.

Is there any way to prevent downloading of log4j-bom version 2.12.1 ?

Stripped Down minimal version of spring to replicate the issue

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.2.6.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>logTester</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>logTester</name>
    <description>Demo project for Spring Boot</description>
    <properties>
        <java.version>11</java.version>
        <log4j2.version>2.17.1</log4j2.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
            <exclusions>
                <exclusion>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-logging</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.apache.logging.log4j</groupId>
                <artifactId>log4j-bom</artifactId>
                <version>2.17.1</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>
        </dependencies>
    </dependencyManagement>
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

enter image description here

Solution

  • TL;DR: use -Dlog4j2.version=2.19.0 on the command line.

    Before starting the build process Maven computes the effective POM of your project and all its ancestors.

    When building the effective model of your POM everything goes smoothly: your POM inherits log4j-bom from its parent, but the placeholder ${log4j2.version} is replaced with the value you gave in your POM (2.17.1).

    However, when Maven builds the effective POM of spring-boot-dependencies, it replaces ${log4j2.version} with the original value 2.12.1 specified in that POM. This does not have any influence on the dependencies of your project, but causes a download attempt of log4j-bom-2.12.1.pom.

    To prevent that from happening you must ensure that ${log4j2.version} is always replaced with 2.17.1. You can do this by adding:

    -Dlog4j2.version=2.17.1

    to your command line (cf. model interpolation).

    Remark: your infra team has no reason to block the download of pom dependencies, since they contain no code. They also do not need to blacklist all Log4j2 artifacts: only older versions of log4j-core have security vulnerabilities, the other artifacts are fine.