添加 log4j 到 build.gradle 文件中。

huangapple
go评论71阅读模式
英文:

Adding log4j to build.gradle

问题

尝试在我的 Eclipse 中创建一个简单的 Gradle Java 项目。我正在使用 LOG4J 库,所以我的 build.gradle 文件如下:

plugins {
    // 应用 java-library 插件以添加对 Java 库的支持
    id 'java-library'
}

repositories {
    // 使用 jcenter 来解析依赖项
    // 你可以在这里声明任何 Maven/Ivy/文件仓库
    jcenter()
}

dependencies {
    implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.13.3'
    implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.3'
    
    // 此依赖项将被导出给使用者,也就是说可以在它们的编译类路径中找到
    api 'org.apache.commons:commons-math3:3.6.1'
    
    // 此依赖项在内部使用,不会单独暴露给使用者的编译类路径
    implementation 'com.google.guava:guava:28.2-jre'
    
    // 使用 JUnit 测试框架
    testImplementation 'junit:junit:4.12'
}

我在这个文件中添加了两行代码,我期望这些代码能够下载 log4j 库:

implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.13.3'
implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.3'

但看起来这并没有帮助,因为如果我使用 Gradle 构建项目,会出现编译错误:

compile 配置已经被弃用用于依赖声明。这在 Gradle 7.0 中将会导致错误。请改用 implementation 或 api 配置。更多信息请查阅升级指南:https://docs.gradle.org/6.3/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations

我猜想我以弃用的方式声明了 log4j(我从 log4j 手册中提取了这些代码)。但是如何在 build.gradle 中声明 log4j 以便在我的项目中使用呢?

构建命令:

./gradlew build --refresh-dependencies --warning-mode all

我的主类如下:

package l4j;

import org.apache.log4j.Logger;
import org.apache.log4j.PropertyConfigurator;

public class aa {

    static Logger logger = Logger.getLogger(Log4jPropertiesConfigurationExample.class);
    public static void main(String[] args)
    {
        // 使用 PropertiesConfigurator 来从属性文件配置日志记录器
        PropertyConfigurator.configure("log4j.properties");
 
        // 在控制台和日志文件中记录日志
        logger.debug("Log4j appender configuration is successful !!");
    }

}
英文:

Trying to create simple Gradle Java project in my Eclipse. I'm using LOG4J library, so my build.gradle looks:

plugins {
    // Apply the java-library plugin to add support for Java Library
    id 'java-library'
}

repositories {
    // Use jcenter for resolving dependencies.
    // You can declare any Maven/Ivy/file repository here.
    jcenter()
}

dependencies {
    compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.13.3'
    compile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.3'
    
    // This dependency is exported to consumers, that is to say found on their compile classpath.
    api 'org.apache.commons:commons-math3:3.6.1'

    // This dependency is used internally, and not exposed to consumers on their own compile classpath.
    implementation 'com.google.guava:guava:28.2-jre'

    // Use JUnit test framework
    testImplementation 'junit:junit:4.12'
}

I added two lines in this file that I expect will allow to download log4j library:

compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.13.3'
compile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.3'

But looks this not help, because in case I build project with gradle I have compile errors.

The compile configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 7.0. Please use the implementation or api configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/6.3/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
        at build_d9ael385qeshfiepcaw3797hi$_run_closure2.doCall(/home/a/Documents/workspace-sts/l4j/build.gradle:21)
        (Run with --stacktrace to get the full stack trace of this deprecation warning.)

> Task :compileJava FAILED

I suppose I declared log4j in deprecated way (I took these lines from log4j manual). But how to declare log4j in build.gradle in order to use them in my project?

Build command:

./gradlew build --refresh-dependencies --warning-mode all

And my main class:

package l4j;
import org.apache.log4j.Logger;
import org.apache.log4j.PropertyConfigurator;

public class aa {

	static Logger logger = Logger.getLogger(Log4jPropertiesConfigurationExample.class);
    public static void main(String[] args)
    {
        //PropertiesConfigurator is used to configure logger from properties file
        PropertyConfigurator.configure("log4j.properties");
 
        //Log in console in and log file
        logger.debug("Log4j appender configuration is successful !!");
    }

}

答案1

得分: 6

如果您偶然发现了这个答案,请在复制粘贴之前检查log4j-core的非易受攻击版本。

截至撰写本文时,2.16.0是唯一被认为不容易受到JNDI查找攻击影响的版本,而这些攻击非常容易被利用。您可以在此CVE报告中获取有关此信息的更多数据。以及有关所有受不同安全漏洞影响的版本的详细信息,请参阅此Apache安全披露页面

1.x版本应该不会受到此特定漏洞的影响,但可能容易受到其他漏洞的攻击取决于版本。自2015年8月5日起,它也已经终止生命周期,使用它可能是一个不好的主意。

话虽如此,在现代Gradle中,应该使用“dependencies”部分内的“implementation”来引入此依赖项。

一个示例是:

implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.16.0'
implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.16.0'

较为简洁的替代方式:

implementation 'org.apache.logging.log4j:log4j-core:2.16.0'

可以在此处找到更近期的版本

英文:

If you stumble upon this answer check for non-vulnerable versions of log4j-core before copying and pasting.

As of writing, 2.16.0 was the only version considered non-vulnerable to JNDI lookup attacks which are extremelly easy to exploit. You can get more data on this CVE Report. And detailed information on all versions affected by different security vulnerabilities on this Apache security disclosure page.

Versions 1.x should be safe of this particular exploit but might be vulnearable to other exploits depending on version. It's also End of Life since August 5, 2015 and might be a bad idea to use it.

This said, on modern Gradle, "implementation" inside a "dependencies" section should be used to pull in this dependency.

An example would be:

implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.16.0'
implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.16.0'

The "short" alternative:

implementation 'org.apache.logging.log4j:log4j-core:2.16.0'

More recent versions can be found here.

答案2

得分: 4

我想我以被弃用的方式声明了 log4j(我从 log4j 手册中摘录了这些代码行)。

仅仅因为手册/文档中说某种方式是正确的,并不意味着它一定是准确或正确的。该文档很可能是在compile配置被弃用之前编写的。随着implementationapi配置的引入,不再需要compile配置。

只需将compile更改为implementation,就可以消除弃用警告。

implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.16.0'
implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.16.0'
英文:

> I suppose I declared log4j in deprecated way (I took these lines from log4j manual).

Just because the manual/documentation says to do it one way doesn't necessarily mean it is accurate or correct. The documentation was likely written at the time where the compile configuration was not deprecated. With the the introduction of the implementation and api configurations, there is no need for the compile configuration.

Simply switch compile to implementation and the deprecation warning will go away.

implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.16.0'
implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.16.0'

huangapple
  • 本文由 发表于 2020年10月3日 20:25:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/64184240.html
  • eclipse
  • gradle
  • java
  • log4j
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定