After some experimenting, a relatively simple (?) way to ensure we no…

… longer include log4j-1.* in the war file. (IQSS/dataverse-security#48; also #8372)

pom.xml

@@ -29,7 +29,8 @@
  <payara.version>5.2021.5</payara.version>
  <postgresql.version>42.2.19</postgresql.version>
  <aws.version>1.11.762</aws.version>
- <slf4j.version>1.7.32</slf4j.version>
+ <slf4j.version>1.7.35</slf4j.version>
+ <reload4j.version>1.2.18.4</reload4j.version>
  <commons.io.version>2.11.0</commons.io.version>
  <commons.logging.version>1.2</commons.logging.version>
  <commons.lang3.version>3.12.0</commons.lang3.version>
@@ -225,16 +226,25 @@
  </dependency>
  <!-- In *theory* the log4j12 bridge should not be made convergent, as WE decide which way logs flow.
  Libraries should *only* rely on the api package. But sometimes... :-/ -->
+ <!-- Replacing the dependency slf4j-log4j12 with slf4j-reload4j, -->
+ <!-- in order to make sure we are getting rid of log4j for good... -->
+ <!-- it may not be necessary, to include slf4j-reload4j explicitly -->
+ <!-- but shouldn't hurt either (? L.A. - Jan. 2022) --> 
  <dependency>
  <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
+ <artifactId>slf4j-reload4j</artifactId>
  <version>${slf4j.version}</version>
  </dependency>
  <dependency>
  <groupId>org.slf4j</groupId>
  <artifactId>jcl-over-slf4j</artifactId>
  <version>${slf4j.version}</version>
  </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>jul-to-slf4j</artifactId>
+ <version>${slf4j.version}</version>
+ </dependency>
 
  </dependencies>
  </dependencyManagement>
@@ -252,7 +262,25 @@
  <groupId>org.slf4j</groupId>
  <artifactId>slf4j-jdk14</artifactId>
  </dependency>
-
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>jcl-over-slf4j</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>jul-to-slf4j</artifactId>
+ </dependency>
+ <!-- reload4j is a drop-in security patch/replacement for log4j1. -->
+ <!-- (https://reload4j.qos.ch/) -->
+ <dependency>
+ <groupId>ch.qos.reload4j</groupId>
+ <artifactId>reload4j</artifactId>
+ <version>${reload4j.version}</version>
+ </dependency>
  <dependency>
  <groupId>org.passay</groupId>
  <artifactId>passay</artifactId>
@@ -573,6 +601,10 @@
  <!-- is still buggy. As an experiment, I'm using -->
  <!-- a patched version I built locally. -->
  <!-- (pull requests pending - L.A. -->
+ <!-- These locally-built XOAI libraries are still a serious debt -->
+ <!-- that needs to be addressed. Adding explicit "exclusion" entries -->
+ <!-- below for the immediate purpose of getting rid of the log4j library -->
+ <!-- that was being added to the project via these dependencies. (L.A. - Jan. 2022) -->
  <dependency>
  <groupId>com.lyncode</groupId>
  <artifactId>xoai-common</artifactId>
@@ -582,11 +614,23 @@
  <groupId>com.lyncode</groupId>
  <artifactId>xoai-data-provider</artifactId>
  <version>4.1.0-header-patch</version>
+ <exclusions>
+ <exclusion>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ </exclusion>
+ </exclusions>
  </dependency>
  <dependency>
  <groupId>com.lyncode</groupId>
  <artifactId>xoai-service-provider</artifactId>
  <version>4.1.0-header-patch</version>
+ <exclusions>
+ <exclusion>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ </exclusion>
+ </exclusions>
  </dependency>
  <!-- Added for AutoService -->
  <dependency>

src/main/java/edu/harvard/iq/dataverse/EjbDataverseEngine.java

@@ -51,7 +51,7 @@
 import javax.validation.ConstraintViolation;
 import javax.validation.ConstraintViolationException;
 
-import org.apache.log4j.lf5.LogLevel;
+//import org.apache.log4j.lf5.LogLevel;
 
 /**
  * An EJB capable of executing {@link Command}s in a JEE environment.

src/main/java/edu/harvard/iq/dataverse/util/bagit/OREMap.java

@@ -35,7 +35,7 @@
 import javax.json.JsonValue;
 
 import org.apache.commons.lang3.exception.ExceptionUtils;
-import org.apache.log4j.lf5.LogLevel;
+//import org.apache.log4j.lf5.LogLevel;
 
 public class OREMap {