Consideration for Third Party Jars which reference Apache log4j 1.x

When you perform a scan for the Apache log4j 1.x references, you can skip the following jar files as they do not use log4j 1.x classes during runtime:
Note: These jar files have logger fallback option available. They use java.util.logging.Logger framework in absence of log4j1.x jars in the class path.
  1. cc_component/1_0_06/componentCommon.jar
  2. commons_logging/1_0_4/commons-logging.jar
  3. jfreechart/0_9_18/jcommon-0.9.3.jar
  4. jfreechart/0_9_18/jfreechart-0.9.18-SI.jar
  5. velocity/1_4/velocity-1.4.jar
  6. cdsp/build_34/cdsp.jar
  7. ceu/2_3_00_20050721/ceubp.jar
  8. commons_transaction/1_1/commons-transaction-1.1.jar
  9. opensaml/1_1/opensaml-1.1.jar
  10. struts/2_5_26/commons-logging-1.2.jar
  11. dist-mbx/1_0/commons-logging-1.1.1.jar
  12. struts/2_5_26/freemarker-2.3.30.jar
  13. smartclient/12.1/isomorphic_core_rpc.jar
  14. smartclient/12.1/velocity-1.7.jar
  15. dist-mbx/1_0/com.ibm.websphere.appserver.thirdparty.jpa-1.1.9.jar
  16. dist-mbx/1_0/netty-all-4.1.50.Final.jar
  17. dist-mbx/1_0/netty-common-4.1.63.Final.jar
  18. ibm-b2b-meg/1_5/com.ibm.ws.xs.client_1.1.jar
When you perform a scan for the Apache log4j 1.x references, you can skip the following jar files as they do not extend or reference Apache log4j1.x classes in any way:
Note: Log4j 1.x appears only in the nomenclature of these jar files.
  1. saas-log-log4j-1.*.jar
  2. spring-boot-starter-log4j2-2.6.7.jar