Introduce SLF4J for logging

[diega]

PR description

Given the latest events regarding Log4J2 security issues and the advent of Besu modularization, it would be interesting to introduce an abstraction layer for logging so we don't force any implementation for future adopters.

This PR replaces every org.apache.logging.log4j.Logger instance with its analog org.slf4j.Logger but still respects every hard dependency on Log4J2 (now more easily identifiable). Also, a new helper was introduced to deal with situations where a org.apache.logging.log4j.core.LoggerContext was created outside the scope of SLF4J.

This is quite large to review so I kept different commits for the different decisions being made

• 4d7d1e4: just adds the slf4j API
• 909a195: this is the biggest one. 90% of it is just replacing the Logger instances, but there are also some other minor changes for respecting the same behavior of Log4J2 in SLF4j, e.g. wrap in an if (LOG.isXxxxEnabled) values that would have been resolved through lambdas in Log4J2.
• e2cf796: changes an specific Logger from Log4J2 for a regular one. If this a really wanted feature, we can add it into the logging definition and attach that appender to the enclosing class.
• 04e62d2: changes the default value for logging of the retesteth subcommand
• eea6494: mimics Log4J2 Configurator behavior but resolving the logging context through SLF4j
• ed79b73: deprecates FATAL value option and maps it to ERROR
• 22e2256 and 4ad2493: fixes Sonar issues
• 8536a95: add a changelog entry

Changelog

• I thought about the changelog and included a changelog update if required.

[garyschulte]

Thanks 🙏

I haven't gotten through the whole PR but a couple questions.

Also did you miss
./acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/node/BesuNode.java:84 ?

[diega]

@garyschulte I completely missed org.hyperledger.besu.tests.acceptance.dsl.node.BesuNode. As a first approach I used a SLF4J migrator which actually only changed the LOG declarations (it didn't fixed the imports) but evidently missed at least this one. I'll double check. Thanks for catching it.

[macfarla]

I checked about 50% of the files and managed to find one typo :)

[gezero]

What is your opinion on also including slf4j-lambda as another facade on top the SLF4J? They support the nice lambda syntax from log4j2. See

https://stackoverflow.com/a/48725206/550859
https://github.com/kwon37xi/slf4j-lambda

Personally, I would like us to wait with this change until SLF4J 2.0.0 gets out of alpha. The 1.x version has to support Java 6 and as such cannot support lambdas. The 2.0.0 is in alpha already for years, however, and they have more PRs open than closed, it seems.

I feel like the new ways of writing code, like for instance the lambda syntax when logging, reduces the cognitive load on people, so I would be unhappy to lose it.

[diega]

@gezero I think it would be easier to move to slf4j 2.x, when it's ready, starting from this PR than without it. In this PR there were 17 lambdas replaced with the is*Enabled pattern which we can get back pretty easily when the new API arrives.
Disclaimer: I'm not a big fan of adding dependencies 🙃

[gezero]

@diega I agree that the migration to SLF4J 2.0 might be easier from 1.x than from log4j2. What I find a concern is that SLF4J 2.0 release is nowhere near in sight. Therefore, we might be stuck on 1.x for an undefined amount of time. I suggest for consideration that the supplier pattern is superior to the previous pattern to the extent that it might not be worth migrating to 1.x at all. I am guessing the pattern is not used much, mostly because people are not aware of it.

In any case, I want to avoid blocking this effort. I can only imagine how much work it took to do all these changes. That is why I suggested to also include the slf4j-lambda.

[garyschulte]

I am 👍 for this PR, just waiting for consensus about if/what we should do for FATAL.

Will using FATAL simply map to ERROR if we do nothing?

[diega]

@garyschulte FATAL is still a valid org.apache.logging.log4j.Level value, so if it's set as a CLI param it will be resolved properly and set through o.h.b.u.Log4j2ConfiguratorUtil#setAllLevels, even if we don't mention it in the description of the option. The behavioral change comes at the actual logging output b/c through the SLF4J API it's not possible to log to that level so it will be no output for that case. Here's the class mapping SLF4J levels and Log4J2 levels

[shemnon]

I'm generally 👍 for this, but before we commit given the size and scope I would want sonar to read zero bugs, vulnerabilities, security, and code smells, all ideally fix with code and without any overrides. If some of the rules are bogus for how we work we should disable them in the scan itself rather than using code annotations.

[diega]

@shemnon sure, that makes perfect sense. I'll fix them and I'll come up with a discussion if there is some that couldn't be fixed

[diega]

I addressed most of the Sonar issues in 22e2256 and 4ad2493.
The missing code smell is about an usage of System.out in a place where the logging system isn't initialized yet, so I followed the decision made in BesuCommand.java:1490. Also, the 3 remaining Security Hotspots are pending for review within Sonar but I don't have enough permissions to do it. I think our use case for setting the logging level programmatically is safe (and the main intention of having a --logging CLI option) so we should approve those usages.

[shemnon]

Reviewed and waived the outstanding issues

• one instance of System.out.println - appropriate for logging config errors.
• Three instances of the logger being re-initialized. These calls are always tagged by sonar as low risk. There is no other way to do it.

If the merge doesn't add any other sonar issues I am +1 to merge.

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

84.0% Coverage
1.4% Duplication

[garyschulte]

Thank you @diega for all your hard work on this. 🚢

[macfarla]

nit: this change will be in RC3 not RC2

[macfarla]

the only thing is the changelog entry should be in RC3 not RC2