2.22.0
- Release date
-
2023-11-17
This releases provides a CycloneDX Software Bill of Materials (SBOM) along with each artifact and contains bug fixes addressing issues in the JPMS & OSGi infrastructure overhauled in 2.21.0
, dependency updates, and some other minor fixes and improvements.
CycloneDX Software Bill of Materials (SBOM)
This is the first Log4j release that provides a CycloneDX Software Bill of Materials (SBOM) along with each artifact.
Generated SBOMs are attached as artifacts with cyclonedx
classifier and XML extensions, that is, <artifactId>-<version>-cyclonedx.xml
.
They contain vulnerability-assertion
references to a CycloneDX Vulnerability Disclosure Report (VDR) that Apache Logging Services uses for all projects it maintains.
This VDR is accessible through the following URL: https://logging.apache.org/cyclonedx/vdr.xml
SBOM generation is streamlined by logging-parent
, see its website for details.
Changed
-
Change the order of evaluation of
FormattedMessage
formatters. Messages are evaluated usingjava.util.Format
only if they don’t comply to thejava.text.MessageFormat
orParameterizedMessage
format. (1223) -
Change default encoding of HTTP Basic Authentication to UTF-8 and add
log4j2.configurationAuthorizationEncoding
property to overwrite it. (1970)
Fixed
-
Harden deserialization process by requiring the usage of
FilteredObjectInputStream
on Java 8 andObjectInputFilter
on Java 9+ to deserialize custom classes. (1906) -
Fix MDC pattern converter causing issues for
%notEmpty
(1922) -
Export missing OSGi & JPMS modules in
log4j-layout-template-json
andlog4j-1.2-api
(1895) -
Fix
spring-test
dependency scope change (LOG4J2-3675) -
Fix JPMS descriptors causing
jlink
issues (1896) -
Add missing
Implementation-
andSpecification-
entries toMANIFEST.MF
(implemented bylogging-parent
version10.3.0
update) (1923) -
Fix
NotSerializableException
thrown whenLogger
is serialized with aReusableMessageFactory
(1884)
Removed
-
Removed unused
FastDateParser
which was causing unnecessary heap overhead (LOG4J2-3672, 1848)
Updated
-
Update
com.fasterxml.jackson:jackson-bom
to version2.16.0
(1974) -
Update
com.github.luben:zstd-jni
to version1.5.5-10
(1940) -
Update
com.google.guava:guava
to version32.1.3-jre
(1875) -
Update
io.netty:netty-bom
to version4.1.101.Final
(1960) -
Update
org.eclipse.persistence:org.eclipse.persistence.jpa
to version2.7.13
(1900) -
Update
org.fusesource.jansi:jansi
to version2.4.1
(1907) -
Update
org.mongodb:bson
to version4.11.1
(1957) -
Update
org.springframework:spring-framework-bom
to version5.3.30
-
Update
org.springframework.boot:spring-boot
to version2.7.17
(1874) -
Update
org.springframework:spring-framework-bom
to version5.3.31
(1973) -
Update
org.zeromq:jeromq
to version0.5.4
(1878)