I am getting the error
SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/C:/Users/george/.gradle/caches/artifacts-26/filestore/org.apache.logging.log4j/log4j-slf4j-impl/2.0-beta8/jar/15984318e95b9b0394e979e413a4a14f322401c1/log4j-slf4j-impl-2.0-beta8.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/C:/Users/george/.gradle/caches/artifacts-26/filestore/org.slf4j/slf4j-log4j12/1.5.0/jar/aad1074d37a63f19fafedd272dc7830f0f41a977/slf4j-log4j12-1.5.0.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
In my build.gradle file I have the following line to include the jar log4j-slf4j-impl-2.0-beta8.jar (which I want to bind to LOG4J2)
compile 'org.apache.logging.log4j:log4j-slf4j-impl:2.0-beta8'
In another build.gradle file in a dependent project I have multiple lines similar to the following:
compile 'dcm4che:dcm4che-core:2.0.23'
Now dcm4che includes a dependency on log4j version 1 (slf4j-log4j12) and this is therefore being included in the overall project.
Here is a snippet from the Gradle dependency tree:
| +--- dcm4che:dcm4che-core:2.0.23 | | \--- org.slf4j:slf4j-log4j12:1.5.0 | | +--- org.slf4j:slf4j-api:1.5.0 -> 1.7.5 | | \--- log4j:log4j:1.2.13 -> 1.2.14
I have read the link suggested in the warning but I cannnot figure out how to make my app bind to log4j2 using the jar that I want. The Gradle documentation on dependency management has not really made it any clearer.
SLF4J ship with a module called log4j-over-slf4j. It allows log4j users to migrate existing applications to SLF4J without changing a single line of code but simply by replacing the log4j. jar file with log4j-over-slf4j.
So essentially, SLF4J does not replace log4j; they both work together. It removes the dependency on log4j from your application and makes it easy to replace it in the future with the more capable library.
Does the SLF4J API Mitigate the Vulnerability? No. Using Log4j 2. x via the SLF4J Application Programming Interface does not mitigate the vulnerability.
Put this code in your build.gradle
file
configurations.all { exclude group: 'org.slf4j', module: 'slf4j-log4j12' }
The solution is to add the following in the build.gradle.
configurations.all { resolutionStrategy.eachDependency { DependencyResolveDetails details -> if (details.requested.name == 'log4j') { details.useTarget "org.slf4j:log4j-over-slf4j:1.7.5" } }
The result is that anything that normally requires log4j will use log4j-over-slf4j instead.
I also added:
if (details.requested.name == 'commons-logging') { details.useTarget "org.slf4j:jcl-over-slf4j:1.7.5" }
for completeness to cover commons logging.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With