[FIXED] ResolutionException in Java 11

Issue

I've started writing a new application in Java 11 and while running the application I got this below error. I read about this issue and looks like it is a case of split package . But I'm not sure how can I fix this issue.

java.lang.module.ResolutionException: Modules slf4j.log4j12 and log4j export package org.apache.log4j to module kubernetes.model.common

I've below dependencies in pom for log4j and slf4j.

log4j

<dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>slf4j-api</artifactId>
      <version>1.7.26</version>
    </dependency>
    <dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>slf4j-log4j12</artifactId>
      <version>1.7.26</version>
    </dependency>

log4j2

When I tried to use log4j2 with following dependencies I got different error

 <dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-api</artifactId>
  <version>2.7</version>
</dependency>
<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-core</artifactId>
  <version>2.7</version>
</dependency>
<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-slf4j-impl</artifactId>
  <version>2.7</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.6</version>

java.lang.module.ResolutionException: Modules log4j.core and log4j.api export package org.apache.logging.log4j to module java.annotation

Solution

slf4j-log4j12 contains a class named org.apache.log4j.MDCFriend.

As I recall this is to fix a bug in log4j 1.x that occurred when the version detection pattern was changed in Java 9. Since Log4j 1.x reached the end of life in August 2015 the bug cannot be fixed there so SLF4J introduced this "fix". Unfortunately, using the org.apache.log4j package outside of the log4j jar is forbidden in the Java module system which is what is causing the problem you are seeing.

Also, note that the security bug CVE-2019-17571 has been created for Log4j 1.x. While your application probably won't be vulnerable to the problem it will show up on security scans.

You have a few options:

1. Create a bug report against SLF4J and hope that it gets fixed.
2. Create your own fork of slf4j-log4j12 and fix it yourself.
3. Upgrade from Log4j 1 to Log4j 2 (the solution I would recommend for a new application).
4. Use an SLF4J implementation other than Log4j 2.

Answered By - rgoers
Answer Checked By - Marilyn (JavaFixing Volunteer)