GEODE-10544: Upgrade Apache Log4j from version 2.17.2 to 2.25.3 to remediate security vulnerability CVE-2025-68161. (#7978)

* GEODE-10544: Upgrade Log4j from 2.17.2 to 2.25.3

- Updated Log4j version to 2.25.3 in dependency constraints
- Added GraalVM annotation processor configuration for geode-log4j
- Migrated test dependencies from log4j-core::tests to log4j-core-test artifact
- Updated 20 integration test files to use new package structure:
  * org.apache.logging.log4j.junit -> org.apache.logging.log4j.core.test.junit
  * org.apache.logging.log4j.test.appender -> org.apache.logging.log4j.core.test.appender
- Suppressed deprecation warning for Message.getFormat() method
- Added exclusions for Maven transitive dependencies to resolve Guava conflicts
- All quality checks pass: build, spotlessCheck, rat, checkPom, japicmp

* Fix integration test failures for Log4j 2.25.3

- Exclude JUnit 5.13.2 from log4j-core-test (conflicts with project's 5.8.2)
- Exclude assertj-core 3.27.3 from log4j-core-test (conflicts with Geode's 3.22.0)
- Add detailed comments explaining the exclusions

This fixes the 26 integration test failures that occurred after upgrading
Log4j from 2.17.2 to 2.25.3. The failures were caused by version conflicts
in transitive dependencies brought in by log4j-core-test.

Tested: ./gradlew :geode-log4j:integrationTest passes successfully

* Update build.gradle comments to explain all 5 dependency exclusions

- Document maven-core exclusion (Guava conflict)
- Document log4j-api-test exclusion (brings JUnit 5.13.2)
- Document junit.jupiter/platform exclusions (version mismatch with 5.8.2)
- Clarify all exclusions are required for support/1.15 branch

Author: JinwooHwang

build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy

@@ -39,7 +39,7 @@ class DependencyConstraints {
     deps.put("fastutil.version", "8.5.8")
     deps.put("javax.transaction-api.version", "1.3")
     deps.put("jgroups.version", "3.6.20.Final")
-    deps.put("log4j.version", "2.17.2")
+    deps.put("log4j.version", "2.25.3")
     deps.put("micrometer.version", "1.9.1")
     deps.put("shiro.version", "1.13.0")
     deps.put("slf4j-api.version", "1.7.32")
@@ -215,6 +215,7 @@ class DependencyConstraints {
     dependencySet(group: 'org.apache.logging.log4j', version: get('log4j.version')) {
       entry('log4j-api')
       entry('log4j-core')
+      entry('log4j-core-test')
       entry('log4j-jcl')
       entry('log4j-jul')
       entry('log4j-slf4j-impl')

geode-log4j/build.gradle

@@ -21,6 +21,14 @@ plugins {
   id 'jmh'
 }
 
+// Suppress Log4j 2.25.3 GraalVM annotation processor warning
+tasks.withType(JavaCompile) {
+  options.compilerArgs.addAll([
+    '-Alog4j.graalvm.groupId=org.apache.geode',
+    '-Alog4j.graalvm.artifactId=geode-log4j'
+  ])
+}
+
 dependencies {
   api(platform(project(':boms:geode-all-bom')))
 
@@ -63,8 +71,23 @@ dependencies {
     exclude module: 'geode-core'
   }
   integrationTestImplementation('junit:junit')
-  integrationTestImplementation('org.apache.logging.log4j:log4j-core::tests')
-  integrationTestImplementation('org.apache.logging.log4j:log4j-core::test-sources')
+  // Log4j 2.20.0+ moved test utilities to log4j-core-test with new package names:
+  // org.apache.logging.log4j.junit → org.apache.logging.log4j.core.test.junit
+  // org.apache.logging.log4j.test → org.apache.logging.log4j.core.test
+  // log4j-core-test 2.25.3 requires the following exclusions:
+  // - assertj-core 3.27.3: conflicts with Geode's 3.22.0 custom assertions
+  //   (NoSuchMethodError: CommonValidations.failIfEmptySinceActualIsNotEmpty)
+  // - maven-core 3.9.10: causes Gradle dependency resolution conflict with Guava
+  // - log4j-api-test: brings JUnit 5.13.2 transitively
+  // - junit.jupiter/platform 5.13.2: conflicts with project's JUnit 5.8.2
+  //   (JUnitException: OutputDirectoryProvider not available due to version mismatch)
+  integrationTestImplementation('org.apache.logging.log4j:log4j-core-test') {
+    exclude group: 'org.apache.maven'
+    exclude group: 'org.apache.logging.log4j', module: 'log4j-api-test'
+    exclude group: 'org.assertj', module: 'assertj-core'
+    exclude group: 'org.junit.jupiter'
+    exclude group: 'org.junit.platform'
+  }
   integrationTestImplementation('org.assertj:assertj-core')
 
   distributedTestImplementation(project(':geode-junit')) {

geode-log4j/src/integrationTest/java/org/apache/geode/alerting/log4j/internal/impl/AlertAppenderIntegrationTest.java

@@ -36,7 +36,7 @@
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.core.LogEvent;
-import org.apache.logging.log4j.junit.LoggerContextRule;
+import org.apache.logging.log4j.core.test.junit.LoggerContextRule;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.BeforeClass;

geode-log4j/src/integrationTest/java/org/apache/geode/logging/log4j/internal/impl/BothLogWriterAppendersIntegrationTest.java

@@ -26,7 +26,7 @@
 import java.net.URL;
 
 import org.apache.logging.log4j.Logger;
-import org.apache.logging.log4j.junit.LoggerContextRule;
+import org.apache.logging.log4j.core.test.junit.LoggerContextRule;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.BeforeClass;

geode-log4j/src/integrationTest/java/org/apache/geode/logging/log4j/internal/impl/CacheWithCustomLogConfigIntegrationTest.java

@@ -30,8 +30,8 @@
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.core.LogEvent;
-import org.apache.logging.log4j.junit.LoggerContextRule;
-import org.apache.logging.log4j.test.appender.ListAppender;
+import org.apache.logging.log4j.core.test.appender.ListAppender;
+import org.apache.logging.log4j.core.test.junit.LoggerContextRule;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.BeforeClass;

geode-log4j/src/integrationTest/java/org/apache/geode/logging/log4j/internal/impl/ConfigurationWithLogLevelChangesIntegrationTest.java

@@ -29,7 +29,7 @@
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.core.LogEvent;
-import org.apache.logging.log4j.junit.LoggerContextRule;
+import org.apache.logging.log4j.core.test.junit.LoggerContextRule;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.BeforeClass;

geode-log4j/src/integrationTest/java/org/apache/geode/logging/log4j/internal/impl/ConsoleAppenderWithLoggerContextRuleIntegrationTest.java

@@ -28,7 +28,7 @@
 import org.apache.logging.log4j.core.appender.ConsoleAppender;
 import org.apache.logging.log4j.core.appender.DefaultErrorHandler;
 import org.apache.logging.log4j.core.appender.OutputStreamManager;
-import org.apache.logging.log4j.junit.LoggerContextRule;
+import org.apache.logging.log4j.core.test.junit.LoggerContextRule;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;

geode-log4j/src/integrationTest/java/org/apache/geode/logging/log4j/internal/impl/DistributedSystemWithBothLogWriterAppendersIntegrationTest.java

@@ -27,7 +27,7 @@
 import java.util.Properties;
 
 import org.apache.logging.log4j.Logger;
-import org.apache.logging.log4j.junit.LoggerContextRule;
+import org.apache.logging.log4j.core.test.junit.LoggerContextRule;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.BeforeClass;

geode-log4j/src/integrationTest/java/org/apache/geode/logging/log4j/internal/impl/DistributedSystemWithLogLevelChangesIntegrationTest.java

@@ -31,7 +31,7 @@
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.core.LogEvent;
-import org.apache.logging.log4j.junit.LoggerContextRule;
+import org.apache.logging.log4j.core.test.junit.LoggerContextRule;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.BeforeClass;

geode-log4j/src/integrationTest/java/org/apache/geode/logging/log4j/internal/impl/FastLoggerIntegrationTest.java

@@ -30,7 +30,7 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.Marker;
 import org.apache.logging.log4j.MarkerManager;
-import org.apache.logging.log4j.junit.LoggerContextRule;
+import org.apache.logging.log4j.core.test.junit.LoggerContextRule;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.BeforeClass;