Describe the problem
Some corporate security scanners flag any version of log4j-core*.jar by name, regardless of patch level. Removing Log4j 2 entirely eliminates the false positive.
The improvement you'd like to see
Migrate the current logging code to SLF4J + Logback
Expected Benefits
No more false positives for security scanners that have flagged all Log4j 2 libraries as critical security issues, regardless of patch level.
SLF4J provides a facade allowing us to swap the logging implementation in the future if we desire,
Additional Context
Risks
High Risk - LogFunctions.java uses advanced Log4j 2 Core API that has no direct SLF4J equivalent — requires Logback-specific API and careful testing of macro functions.
Medium Risk - JTextAreaAppender.java needs to be reimplemented as a Logback appender with a different discovery/registration mechanism.
Low Risk The bulk, approx. 190 file import changes are import-only and can be validated by the compiler.
com.github.RPTools:advanced-dice-roller will need to change its logger to SLF4J (low risk)
com.github.RPTools:upnplib will need to change its logger to SLF4J (low risk)
Replace sentry-log4j with sentry-logback
Describe the problem
Some corporate security scanners flag any version of log4j-core*.jar by name, regardless of patch level. Removing Log4j 2 entirely eliminates the false positive.
The improvement you'd like to see
Migrate the current logging code to SLF4J + Logback
Expected Benefits
No more false positives for security scanners that have flagged all Log4j 2 libraries as critical security issues, regardless of patch level.
SLF4J provides a facade allowing us to swap the logging implementation in the future if we desire,
Additional Context
Risks
High Risk -
LogFunctions.javauses advanced Log4j 2 Core API that has no direct SLF4J equivalent — requires Logback-specific API and careful testing of macro functions.Medium Risk - JTextAreaAppender.java needs to be reimplemented as a Logback appender with a different discovery/registration mechanism.
Low Risk The bulk, approx. 190 file import changes are import-only and can be validated by the compiler.
com.github.RPTools:advanced-dice-roller will need to change its logger to SLF4J (low risk)
com.github.RPTools:upnplib will need to change its logger to SLF4J (low risk)
Replace sentry-log4j with sentry-logback