Develop Reference

Spring boot parent log4j2 update - vulnerability fix

Trying to update log4j2 for legacy spring boot application (using Spring-boot-parent-1.5.6.RELEASE) - using multi module
Tried all the ways spring suggested in recent docs but none of them worked.
Options tried:
option 1 - Adding to properties
<properties>
<log4j2.version>2.17.0</log4j2.version>
</properties>
option 2 - adding starter-log4j2 and excluding core, later adding log4j core (latest)
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-log4j2</artifactid>
<version>2.6.1</version>
<exclusions>
<exclusion>
<groupid>org.apache.logging.log4j</groupid>
<artifactid>log4j-core</artifactid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>org.apache.logging.log4j</groupid>
<artifactid>log4j-core</artifactid>
<version>2.15.0</version>
</dependency>
option 3 - just the above one along with log4j2 api
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-log4j2</artifactid>
<exclusions>
<exclusion>
<groupid>org.apache.logging.log4j</groupid>
<artifactid>log4j-core</artifactid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>org.apache.logging.log4j</groupid>
<artifactid>log4j-api</artifactid>
<version>2.16.0</version>
</dependency>
<dependency>
<groupid>org.apache.logging.log4j</groupid>
<artifactid>log4j-core</artifactid>
<version>2.16.0</version>
</dependency>
But still the dependencies imported were slf4j-over-log4j(1.7.25), log4j(2.7, 2.11.1). Is there something else i could do.

Option 1 should work.
Build your project using mvn clean install
Check the contents of your jar file: go to your_project/target directory and run jar tf your-project.jarcommand. There should be only log4j-core-2.17.0.jar and no other versions of log4j-core
Edit: also update log4j-core version in your child modules

NoClassDefinitionFound exception org/apache/logging/log4j/util/ReflectionUtil

I am getting a no class definition found for org/apache/logging/log4j/util/ReflectionUtil.
I excluded the log4j-core version 2.4.1 that is included with spring boot 1.3.8 and want to substitute it with 2.17.1.
My understanding is ReflectionUtil should be in either log4j-core or log4j-api.
Why am I still getting the exception of ClassDefinitionNotFound?
Thanks!
Karl
Snippet of the related section of my pom.xml file below.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
<exclusions>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.1</version>
</dependency>

Upgrading to Spring boot to 2.5.5 creates issue with kafka libraries

I have upgraded spring boot version from 2.5.3 to 2.5.5 which has upgraded this libraries.
spring-kafka : from 2.7.4 to 2.7.7
spring-kafka-test : from 2.7.4 to 2.7.7
kafka-clients : from 2.7.1 to 2.8.1
spring-test : from 5.3.9 to 5.3.10
with this upgrade, I started getting an error:
java.lang.NoSuchMethodError:kafka.server.KafkaServer.(Lkafka/server/KafkaConfig;
Lorg/apache/common/kafka/utils/Time;Lscala/Option;/Lscala/collection/Seq;)V
I had tried a lot with changing the version as required by compatibility matrix of spring docs https://spring.io/projects/spring-kafka
Any idea what could be the issue?
pom.xml (spring-boot 2.5.5)
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.kafka</groupId>
<artifactId>spring-kafka</artifactId>
<version>2.7.7</version>
</dependency>
<dependency>
<groupId>org.springframework.kafka</groupId>
<artifactId>spring-kafka-test</artifactId>
<version>2.7.7</version>
</dependency>
<dependency>
<groupId>io.confluent</groupId>
<artifactId>kafka-connect-replicator</artifactId>
<version>5.3.4</version>
<scope>runtime</scope>
<exclusions>
<exclusion>
<groupId>org.apache.kafka</groupId>
<artifactId>kafka_2.11</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>io.confluent</groupId>
<artifactId>kafka-avro-serializer</artifactId>
<version>5.5.1</version>
<exclusions>
<exclusion>
<groupId>org.apache.kafka</groupId>
<artifactId>kafka-clients</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<scope>test</scope>
</dependency>

Whenever you specify a version for kafka-clients rather than letting boot prescribe the version; you must also override the versions of the kafka jars used by the embedded broker.
https://docs.spring.io/spring-kafka/docs/current/reference/html/#update-deps

unable to remove tomcat jdbc dependency

I am building a spring-boot application using an alternative to tomcat related stuff (jetty instead of tomcat and hikariCP instead of tomcat-jdbc) and want to exclude them from my dependencies written in pom.xml
I did that for 2 of the packages as shown below -
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jetty</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<exclusions>
<exclusion>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-jdbc</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.zaxxer</groupId>
<artifactId>HikariCP</artifactId>
<version>2.6.0</version>
</dependency>
But there is some dependency which is including tomcat-jdbc as part of it.
Is there a way to debug that and find out which dependency is including tomcat jdbc as part of it?

mvn dependency:tree
If you run mvn dependency:tree, you will see that there are now a number of additional dependencies.

Spring BOM, commons-logging, Log4j2 and Maven dependency management

I'm building a parent POM for several modules. They are using Spring and Log4j2, so I want to define relevant configuration in section of parent POM and make use of new Spring BOM feature to avoid a mess with versions of Spring components.
According to documentation, this is the correct use of Spring BOM:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.2.0.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
.......
</dependencyManagement>
Now, I need to exclude dependency on commons-logging from spring-core. This is the right way to do it, according to Spring docs:
<dependencyManagement>
.......
<!-- Remove JCL from Spring deps -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>4.2.0.RELEASE</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- Add Log4j2 with JCL bridge -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>${log4j2.version}</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${log4j2.version}</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jcl</artifactId>
<version>${log4j2.version}</version>
</dependency>
.......
</dependencyManagement>
Removing version number from the definition of spring-core dependency causes missing spring-core version error during compilation phase ('dependencies.dependency.version' for org.springframework:spring-core:jar is missing). Effectively, it requires me to re-specify Spring version number - something that Spring BOM was supposed to solve.
Do you know any way to make this work based on BOM version only?

Why don't you put the exclusion directly into the bom declaration:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>${spring.version}</version>
<type>pom</type>
<scope>import</scope>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</dependencyManagement>
Or you could add commons-logging to dependencyManagement as well, if you want to directly control its version. This is what I did in a recent project:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>${spring.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>${commons-logging.version}</version>
</dependency>
</dependencies>
</dependencyManagement>

The log4j jcl bridge does not replace the commons-logging jar. Leave it in. It just creates a binding between commons logging and log4j2.