The IntelliJ platform completely disables the log4j component

Since the end of last year  Log4Shell The explosion of loopholes , Many people and enterprises mark it as one of the most serious vulnerabilities in the past decade , Today, , Its influence continues .

2 month 10 Japan , Well known software development company JetBrains Announce the flag IntelliJ The platform is completely out of use Log4J frame , To adopt java.util.logging As a standard logging framework .

From questioning to abandonment

For reasons of abandonment ,Jetbrains Slightly helpless . It points out in the announcement , As early as a few months ago Log4j 2 The first time the vulnerability is exposed , He sent an article on the official blog to clarify , be based on IntelliJ Platform IDE Not subject to Log4j 2 The impact of the leak , Because they use Log4j 1.2 Fixed version of , It also deletes those that may have problems org.apache.log4j.net package . Besides, Log4j Of 1.x and 2.x There are also great differences between , Belong to two completely different code bases , Have incompatible API.

however , Even so , There is no human or automated security tool “ don 't worry ”. Many developers use it , Many automated security tools still directly IntelliJ Use the old version of Log4j The frame is marked as “ Safe hidden trouble ”.

Under this ,Jetbrains In order to avoid various security alerts and reduce potential attack risks , Its decision to completely disable Log4j   Frame and switch to java.util.logging As a standard logging framework . Will change in IntelliJ edition 2022.1 In the release .

thankfully ,IntelliJ The requirements for logging framework are quite low , The only function used is to log to the file and console , And configuring log levels for different parts of the code base . These functions can be used as JDK Part of the standard log API（java.util.logging） in , Therefore, it is discarded Log4j It will also be relatively more convenient .

Method

however , Due to a large number of third-party plug-ins （ Directly or indirectly ） Use Log4j,JetBrains Will release Log4j API Default implementation of , Redirect log output to java.util.logging, This function comes from SLF4J project . however , The default implementation does not fully implement all methods , So in order to maintain the full functionality of the plug-in , Developers may need to adapt their code to the new environment .

Developers can check whether their code or dependencies are used in the following ways Log4j, And use new methods to update the code ：

• If used in plug-in code Log4j： Switch to using standard platform logging API,com.intellij.openapi.diagnostic.Logger

• If used in your own code Log4j, This code is used in both plug-ins and other contexts ： You can switch to using SLF4J API.IntelliJ The platform passes java.util.logging Realized SLF4J API, Therefore, the platform fully supports SLF4J logging .

• If Log4j： Request the dependency maintainer to switch to SLF4J. If this is impossible , because log4j To SLF4J Bridging , Logging from dependencies is likely to continue to work .

• If you use Log4j API Custom use SLF4J Logging of dependencies ： Switch to using java.util.logging API To configure the handler and log level .

• If you use Log4j XML File configure logging in the test ： Switch to using .properties Configuration of files , Such as LogManager Described in the documentation . Use IntelliJ When the test framework runs tests , have access to idea.log.config.properties.file The path of the system property transfer logging property file .

These changes will be made in  221.4165.x EAP Released in version , Are you looking forward to ？

More details can be found in ：Removing log4j from the IntelliJ Platform | The JetBrains Platform Blog