New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive commons-logging inclusion #2

Open

arixmkii opened this issue Jan 10, 2024 · 1 comment

arixmkii commented Jan 10, 2024

LogSource in commons-logging accessed log4j only through reflection https://github.com/apache/commons-logging/blob/master/src/main/java/org/apache/commons/logging/LogSource.java#L78
So, if there is no dependency of log4j already it will not be introduced. Moreover there existed only single released version of commons-logging jar published, which included third party loggers as its dependencies - it is version 1.1 https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1
Every other version had logger implementation as optional dependencies, so, correct build system would not add them into dependency scope.

Author

arixmkii commented Jan 11, 2024

There is a workaround using spring-jcl, which is commons-logging with the same package names, but without LogSource class (which is anyway deprecated) https://github.com/spring-projects/spring-framework/tree/main/spring-jcl/src/main/java/org/apache/commons/logging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment