Anyway, as for now, I don’t think this is something urgent for https://openhospital.atlassian.net/projects/OP/versions/10024/tab/release-report-all-issues

It seems we have to convert to generic RollingFile appender and specify (in log4j.properties) the TimeBasedTriggeringPolicy

See https://howtodoinjava.com/log4j2/log4j2-rollingfileappender-example/#3-2-rolling-over-every-day

then probably the src/main/java/org/isf/utils/log/LogUtil.java will just import org.apache.log4j.RollingFileAppender

I found it when I was trying to move to Spring Boot 3.x; it comes up as unresolved.

See for example: https://stackoverflow.com/questions/30882982/in-log4j-1-2-to-log4j-2-migration-what-to-do-with-the-dailyrollingfileappender where it clearly states: A class with the same name DailyRollingFileAppender no longer exist in log4j 2.

It appears that the class resolves to ch.qos.reload4j:reload4j:1.2.22 which isn’t included in the pom.xml file that is part of https://github.com/informatici/openhospital-core/pull/1213 . Thus the class is not found and is unresolved.

In the original (pre Spring Boot 3.x PR) the pom.xml file adds this dependency:

The home page for reload4j can be found here: https://reload4j.qos.ch/ As this jar was meant to be a temporary replacement for the serious issues in log4j 1.x we should move off this version.

In https://openhospital.atlassian.net/browse/OP-1168 the library is only used to verify the instance of the appender in order to retrieve the the logfile path and nothing more.

The log4j actually used is the one called every time we use private static final Logger LOGGER = LoggerFactory.getLogger() that is slf4j instance which is using log4j-api-2.21.1 underneath.

Core pom.xml:

Open

So I don’t think there is a real security concern here, anyway it is good to remove that.

It should be enough to replace with import org.apache.log4j.RollingFileAppender;

How did you spot this?