Skip to content

(doc) Description of Log4j 1 to Log4j 2 APi migration #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 3, 2024
Merged

(doc) Description of Log4j 1 to Log4j 2 APi migration #150

merged 1 commit into from
Jun 3, 2024

Conversation

ppkarwasz
Copy link
Contributor

What's changed?

This documentation-only PR changes the description of the "Migrate Log4j 1.x to Log4j 2.x" recipe.

What's your motivation?

The description of the "Migrate Log4j 1.x to Log4j 2.x" recipe is incorrect.

Users might get the false impression that it mitigates the Log4Shell vulnerability. However:

  • Log4j 1 was never affected by Log4Shell.
  • only Log4j 2 Core was.

There are multiple reasons to migrate from Log4j 1, the first one is that the library is unsupported since 2015. Log4Shell mitigation is not one of them.

@ppkarwasz
Correct description of Log4j 1 to Log4j 2 APi migration
f8554c1 
The description of the "Migrate Log4j 1.x to Log4j 2.x" recipe is incorrect.

Users might get the false impression that it mitigates the Log4Shell vulnerability. However:

- Log4j 1 was **never** affected by Log4Shell.
- only Log4j 2 Core was.

There are multiple reasons to migrate from Log4j 1, the first one is that the library is unsupported since 2015. Log4Shell mitigation is **not** one of them.
timtebeek
timtebeek approved these changes Jun 3, 2024
View reviewed changes
Copy link
Member

@timtebeek timtebeek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for pointing that out @ppkarwasz ! We'll see this through as is.

The recipe does bring folks to versions that no longer contain the Log4Shell vulnerability, through our use of version patterns that match the latest minor release.

rewrite-logging-frameworks/src/main/resources/META-INF/rewrite/log4j.yml

Lines 85 to 94 in f7b0da1

- org.openrewrite.java.dependencies.AddDependency:
groupId: org.apache.logging.log4j
artifactId: log4j-api
version: 2.x
onlyIfUsing: org.apache.log4j.*
- org.openrewrite.java.dependencies.AddDependency:
groupId: org.apache.logging.log4j
artifactId: log4j-core
version: 2.x
onlyIfUsing: org.apache.log4j.*

You're very right in pointing out that the Log4J 1.x branch has nothing to do with that, and it's then best to avoid confusion.

@timtebeek timtebeek merged commit f7c3277 into openrewrite:main Jun 3, 2024
2 checks passed
@okundzich
Copy link
Member

However, we do need a recipe that mitigates Log4Shell with a description stating that since, otherwise, people cannot find it in the catalog. Would you be able to create one @timtebeek? I assume it's a subset of Log4j 1 to Log4j 2 migration?

timtebeek added a commit that referenced this pull request Jun 6, 2024
@timtebeek
Create a separate Log4Shell recipe
3832b80 
As requested on #150 (comment)
@timtebeek timtebeek mentioned this pull request Jun 6, 2024
Merged
timtebeek added a commit that referenced this pull request Jun 7, 2024
@timtebeek
Create a separate Log4Shell recipe (#153)
ca0b67a 
* Create a separate Log4Shell recipe

As requested on #150 (comment)

* Update log4j.yml

to fix Copilot suggestions.
@ppkarwasz ppkarwasz deleted the patch-1 branch May 20, 2025 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timtebeek timtebeek timtebeek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
OpenRewrite
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ppkarwasz @okundzich @timtebeek