Remove LOG4J from builds.

[rgrunber]

• LOG4J does not appear to be used by any dependency

Signed-off-by: Roland Grunberg rgrunber@redhat.com

Prompted by GHSA-jfh8-c2jp-5v3q .

@fbricon @testforstephen , any idea why we kept this around. I was thinking for the underlying logging from m2e/buildship but neither Maven nor Gradle projects are having any issues logging verbosely without it.

If there is a good reason, we can keep it and apply the 1.x workaround, rgrunber/vscode-java@a163ee7 .

[testforstephen]

I use Dependency Analysis to search the dependents of org.apache.log4j, here are the results:

• org.apache.ant
• org.eclipse.xtext
• org.eclipse.xtext.xbase

Does eclipse side have any plan to address the issue?

[rgrunber]

Neither of org.eclipse.xtext or org.eclipse.xtext.base are included in the JDT-LS runtime tarball. As for org.apache.ant, looking in the META-INF/MANIFEST.MF, under Import-Package, I see org.apache.log4j;resolution:=optional, so it should be safe to leave it out.

Update : You can also follow the thread in https://www.eclipse.org/lists/cross-project-issues-dev/2021/Dec/index.html on the topic. Though from what I can see, the Eclipse platform (eg. eclipse-SDK-4.22-linux-gtk-x86_64.tar.gz) and some higher profile simrel projects aren't vulnerable. There are some projects under the simrel repository that are vulnerable that are addressing it.

[testforstephen]

Tried this PR with vscode-java-debug, vscode-java-test, vscode-pde together, no breaking was found. Also logback is logged normally.

LGTM.

[cormacrelf]

This is a good move regardless, but for completeness current releases of eclipse.jdt.ls only depend on and bundle log4j 1.x and 1.x is not vulnerable to the CVE-2021-44228. The GitHub advisory says all versions < 2.15.0 are affected, but it's technically only 2.0.0-beta9 onwards, according to https://logging.apache.org/log4j/2.x/security.html. This is a result of the lookups feature being a new addition in version 2.

The current release has a log4j jar in the plugins folder, but eclipse.jdt.ls/plugins/org.apache.log4j_1.2.15.v201012070815.jar is log4j version 1.2.15, i.e. 1.x. You can see how this would be confusing, especially as it is followed by a v2... string!

Getting rid of 1.x is nevertheless a good idea, because of e.g. CVE-2019-17571 and the fact that it hasn't been updated since 2015. But if you're auditing your systems for the new CVE, eclipse.jdt.ls should not be your highest priority.

Hope that helps anyone passing by.