Update for log4j-core is listed, which is not in the dependency tree

[sschuberth]

In our project we recently migrated from log4j-core to logback (but kept log4j-api as the logger API for now). After the migration, ./gradlew dependencies / ./gradlew allDepedencies (a custom task of ours) confirms there is no log4j-core anymore anywhere in the dependency tree. Still, running ./gradlew depUp lists

• org.apache.logging.log4j:log4j-core [2.17.1 -> 2.18.0]
  https://logging.apache.org/log4j/2.x/

Any idea where this might be coming from?

[ben-manes]

Have you looked at the build environment dependencies yet? That’s how we check for plugin updates.

https://docs.gradle.org/2.10/release-notes.html#new-task-for-visualising-a-buildscript-dependencies

[sschuberth]

https://docs.gradle.org/2.10/release-notes.html#new-task-for-visualising-a-buildscript-dependencies

Thanks for that hint! In our project ./gradlew :cli:buildEnvironment gives

classpath
+--- com.palantir.graal:com.palantir.graal.gradle.plugin:0.12.0
|    \--- com.palantir.graal:gradle-graal:0.12.0
+--- com.github.johnrengelman.shadow:com.github.johnrengelman.shadow.gradle.plugin:7.1.2
|    \--- gradle.plugin.com.github.johnrengelman:shadow:7.1.2
|         +--- org.jdom:jdom2:2.0.6
|         +--- org.ow2.asm:asm:9.2
|         +--- org.ow2.asm:asm-commons:9.2
|         |    +--- org.ow2.asm:asm:9.2
|         |    +--- org.ow2.asm:asm-tree:9.2
|         |    |    \--- org.ow2.asm:asm:9.2
|         |    \--- org.ow2.asm:asm-analysis:9.2
|         |         \--- org.ow2.asm:asm-tree:9.2 (*)
|         +--- commons-io:commons-io:2.11.0
|         +--- org.apache.ant:ant:1.10.11
|         |    \--- org.apache.ant:ant-launcher:1.10.11
|         +--- org.codehaus.plexus:plexus-utils:3.4.1
|         +--- org.apache.logging.log4j:log4j-core:2.17.1
|         |    \--- org.apache.logging.log4j:log4j-api:2.17.1
|         \--- org.vafer:jdependency:2.7.0
\--- org.apache.logging.log4j:log4j-core:{require 2.17.1; reject [2.0, 2.17.1)} -> 2.17.1 (c)

So there are two occurrences of log4j-core:

1. In the shadow plugin. I guess this is a bug, as any plugin should only depend on a logger API, but not no a logger implementation.
2. In the root of the classpath. Any idea where this is coming from?

In any case, I guess this is (again) not an issue with the versions plugin itself.

[ben-manes]

Correct. Gradle added a hack to force upgrades of log4j2 if detected on the classpath regardless of your configuration. It was surprising when detected, see #576

[sschuberth]

So, as checkBuildEnvironmentConstraints = false is the default, the reporting of this update should go away if the shadow plugin would stop depending on log4j-core, correct?

[ben-manes]

I think so

[sschuberth]

I'm still surprised that this update is reported, because log4j-core is a transitive dependency of the shadow plugin. The versions plugin also does not report about "regular" outdated transitive dependencies, so why would it do so for plugins? Isn't that inconsistent?

[ben-manes]

I think Gradle’s hack forces it to so that you don’t have that exploit leak in from a transitive dependency. Otherwise I don’t know why either