security-logging-logback is not compatible with logback-classic version 1.3.x (partially)

[friedeas]

In version 1.3.0 of logback-classic the method isCyclic() was introduced for the interface ch.qos.logback.classic.spi.IThrowableProxy, trying to use the org.owasp.security.logging.mask.CRLFThrowableConverter in this environment will result in the following error message:

java.lang.AbstractMethodError: Receiver class org.owasp.security.logging.mask.CRLFThrowableProxy does not define or inherit an implementation of the resolved method 'abstract boolean isCyclic()' of interface ch.qos.logback.classic.spi.IThrowableProxy.

Spring Boot 3.1 is using logback-classic 1.4.7, this prevents the usage of the CRLFThrowableConverter in the current version 1.1.7.

I think a new release of security-logging-logback using logback-classic 1.4.x could address this issue.

[friedeas]

I tried to do the necessary changes here: https://github.com/augustd/owasp-security-logging/compare/master...friedeas:owasp-security-logging:develop

I needed to change more than expected because of the related changes

• SLF4J API update to 2.0.x
• Switch to Jakarta Servlet 5.0 API (javax.servlet to jakarta.servlet)
• Change the dependency in the security-logging-log4j module to log4j-slf4j2-impl (min. version required for this change 2.19.0)
• Some refactoring in security-logging-log4j because Log4jMarker is not a public class anymore since 2.19.0 and packages changed for some test classes

[augustd]

This is awesome! Thank you @friedeas !

Can you please send a pull request?

[friedeas]

Sure, please review my changes https://github.com/augustd/owasp-security-logging/pull/79 I did just one test with a Spring Boot 3.1.2 project, using this converters CRLFThrowableConverter, CRLFConverter and MaskingConverter