SLF4J 2.0.0 requires logback 1.3.0

[mcondellva]

Describe the bug
SLF4J 2.0.0 requires logback 1.3.0+

Running 7.2.0 version of ODC gives the following warnings:

WARNING: SLF4J: No SLF4J providers were found.
WARNING: SLF4J: Defaulting to no-operation (NOP) logger implementation
WARNING: SLF4J: See http://www.slf4j.org/codes.html#noProviders for further details.
WARNING: SLF4J: Class path contains SLF4J bindings targeting slf4j-api versions prior to 1.8.
WARNING: SLF4J: Ignoring binding found at [jar:file:/D:/Program%20Files/dependency-check/lib/logback-classic-1.2.11.jar!/org/slf4j/impl/StaticLoggerBinder.class]
WARNING: SLF4J: See http://www.slf4j.org/codes.html#ignoredBindings for an explanation.

And then fails to provide normal logged data besides the warnings above.

Version of dependency-check used
The problem occurs using version 7.2.0 of the cli

Log file
Warning output provided above.

To Reproduce
dependency-check.bat" --format JSON --prettyPrint --enableExperimental --out C:****\dc-output-20220914093309.json" --yarn "D:\Program Files\Yarn\bin\yarn.cmd" --scan ****

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
I downloaded logback-core-1.3.0.jar and logback-classic-1.3.0.jar and replaced the 1.2.11 versions with the updated versions and logging worked as it did in previous versions of ODC.

[mprins]

see #4786

[aikebah]

With your new setup I expect you would run into an error when you would try to create a debug logfile (when you use the -l / --log argument) just like the build of #4786

[mcondellva]

Quite possibly, I haven't tried it, but could test it if another data point is useful.
However, we have internal team tools that depend on the output to stdout/stderr that was no longer being produced with the older version of logback. Upgrading fixed that output for us.

I had missed the other issue and just wanted to make sure it was on the radar. It is easy enough for us to work around.

[aikebah]

@jeremylong what do you think? Maybe best to revert the slf4j update to 2.0.0 and release 7.2.1? I have not verified, but as there are direct references in its codebase to slf4j 1.x StaticLoggerBinder I suspect that the ant task will also suffer from logging issues due to the slf4j version bump.

[maxbeltr]

We have the same problem here...@mcondellva can you please post the steps of your workaround? Thanks!

[aikebah]

@maxbeltr
That would be

1. download the latest 1.3.x of logback-core (1.3.1 by now)
   https://repo1.maven.org/maven2/ch/qos/logback/logback-core/1.3.1/logback-core-1.3.1.jar
   and logback-classic
   https://repo1.maven.org/maven2/ch/qos/logback/logback-classic/1.3.1/logback-classic-1.3.1.jar

2. copy both jars to the lib folder of your extracted dependency-check CLI

3. Remove logback-classic-1.2.11.jar and logback-core-1.2.11.jar from the lib folder of your extracted dependency-check CLI

[maxbeltr]

Thanks a lot!