log4j-bom leaks non-Log4j dependencies

[wilkinsona]

Description

log4j-bom inherits from logging-parent. Unfortunately, this results in log4j-bom managing a number of dependencies that are unrelated to a consumer's use of Log4j2. Those dependencies are:

• biz.aQute.bnd:biz.aQute.bnd.annotation:7.0.0
• com.github.spotbugs:spotbugs-annotations:4.8.6
• org.jspecify:jspecify:1.0.0
• org.osgi:osgi.annotation:8.1.0
• org.osgi:org.osgi.annotation.bundle:2.0.0
• org.osgi:org.osgi.annotation.versioning:1.1.2

org.apache.maven.plugin-tools:maven-plugin-annotations:3.13.1 is also being managed but this is inherited from the org.apache:apache pom and has already been reported and, pending an upgrade to use the new parent, fixed.

This unwanted dependency management can conflict with a user's own dependency management for those dependencies. Depending on how that dependency management is configured, it may override it leaving a consumer using an unexpected version of a dependency.

Configuration

Version: 2.21.0 and later. The list of dependencies above is from 2.24.1.

Operating system: Any

JDK: Any

Logs

N/A

Reproduction

Run mvn help:effective-pom in a project with the following pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<groupId>com.example</groupId>
	<artifactId>log4j-bom-problem</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<dependencyManagement>
		<dependencies>
			<dependency>
				<groupId>org.apache.logging.log4j</groupId>
				<artifactId>log4j-bom</artifactId>
				<version>2.24.1</version>
				<scope>import</scope>
				<type>pom</type>
			</dependency>
		</dependencies>
	</dependencyManagement>
</project>

The output will show a number of managed dependencies that aren't in the org.apache.logging.log4j group.

[vy]

@wilkinsona, thanks so much for the report! Managed dependencies that don't belong to the o.a.l.log4j group are indeed not wanted and should be removed. I will see what we can do about it.

Log4j inherits the BOM flattening logic from org.apache.logging:logging-parent, which

1. Inherits from org.apache:apache
2. Used by all Maven-based projects of Logging Services
3. Intentionally keeps the parent!

Quoting from the above linked pom.xml snippet:

Consider the following problem experienced in log4j-transform-maven-plugin:

1. log4j-transform-parent depends on log4j-transform-bom
2. log4j-transform-bom depends on logging-parent
3. logging-parent contains dependencyManagement, etc. that are used by log4j-transform-maven-plugin
4. Dependencies of log4j-transform-maven-plugin et al. is resolved at runtime
5. Though at runtime, the deployed log4j-transform-bom is used, which is flattened and hence doesn't have a parent!
6. Hence, at runtime, all logging-parent logic is lost

To avoid this, parents should better be kept while flattening BOMs.

In short, we decided to keep the parent since it was necessary for modules needing dependency resolution at runtime. We need to do some research on what would be the best way to approach this problem. @wilkinsona, your feedback is more than welcome.

[ppkarwasz]

@vy,

Should we close this one, since logging-parent version 12.0.0 has been released?

[vy]

Validated on 07590bc that the installed ~/.m2/repository/org/apache/logging/log4j/log4j-bom/2.25.0-SNAPSHOT/log4j-bom-2.25.0-SNAPSHOT.pom

1. Contains no parent
2. Contains no properties
3. Contains only log4j-* dependencies in dependencyManagement