In my spring boot application, I'm using log4j2
.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
Which is by default picking up version -
<version>2.1.6.RELEASE</version>
This version of log4j2
internally uses log4j
:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.11.2</version>
<scope>compile</scope>
</dependency>
Recently it has been announced - log4j has some serious vulnerabilities till version 2.16
.
Also no version of log4j2
till now uses safer version - 2.17 of log4j
.
So I want to first try to update my pom to use 2.17
version of log4j
without changing parent log4j2
version.
I know it might not work & might give compilation issues, but I still want to try it first.
How can I do that?
CodePudding user response:
You can use <dependencyManagement>
:
<dependencyManagement>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>[2.17,)</version>
</dependency>
</dependencyManagement>
This configures the dependency log4j-core
(if it exists) to use version 2.17 or later (see Version Range References).
Put the dependencyManagement
section next to your dependencies
section.
CodePudding user response:
I would suggest to define log4j via bom file like this:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.17.0</version>
<scope>import</scope>
<type>pom</type>
</dependency>