Upgrade to Log4j2 2.18.0

[wilkinsona]

No description provided.

[grgrzybek]

@wilkinsona hello

Let me share some experience from ops4j/org.ops4j.pax.logging#484 where I've also upgraded to Log4j2 2.18.0.

Because of:

• https://issues.apache.org/jira/browse/LOG4J2-3427
• https://issues.apache.org/jira/browse/LOG4J2-3366

implementations of org.apache.logging.log4j.util.PropertySource need now to announce the properties they support/handle.

I'm running Spring Boot 2.7.1 with Log4j2 upgraded to 2.18.0 and I'm getting #26953 again.

org.springframework.boot.logging.log4j2.SpringBootPropertySource has to explicitly implement:

• org.apache.logging.log4j.util.PropertySource#getPropertyNames()
• org.apache.logging.log4j.util.PropertySource#getProperty()

otherwise, log4j.shutdownHookEnabled property won't be taken into account.

[wilkinsona]

Thanks very much, @grgrzybek. Your integration tests for Log4j2 are evidently better than ours.

[wilkinsona]

It looks like implementing getProperty() and containsProperty() is sufficient. That's good news as those methods are available on the interface in 2.17 so we can address this in 2.6.x which will make it easy for those using Boot 2.x and overriding the version of Log4j2.

[wilkinsona]

I've opened #31719.

[grgrzybek]

Exactly - implementation of these two default methods will be sufficient.

BTW, from GH issues maintenance perspective - how do you mark an issue to be resolved in more than one version? For example if you (would you?) would like to upgrade to Log4j2 2.18.0 in SB 2.7.x as well.

[wilkinsona]

We assign the issue to the milestone for the earliest branch in which it'll be fixed. As part of merging the change forwards, issues are opened for the later branches into which the change is merged. We won't upgrade to Log4j2 2.18 in 2.7.x as we avoid minor dependency upgrades in maintenance releases, although we have made an exception in the past for CVEs.

[grgrzybek]

Thanks for clarification.