Completely remove log4j (#1466)

* Completely remove log4j

Prevent Gradle plugin from using log4j.

build.gradle

@@ -20,6 +20,9 @@ buildscript {
     // Lock buildscript dependencies.
     configurations.classpath {
       resolutionStrategy.activateDependencyLocking()
+
+      // See java_common.gradle for explanation.
+      exclude group: 'org.apache.logging.log4j'
     }
   }
 

gradle/dependency-locks/buildscript-classpath.lockfile

@@ -40,8 +40,6 @@ org.apache.ant:ant-launcher:1.9.7
 org.apache.ant:ant:1.9.7
 org.apache.commons:commons-compress:1.20
 org.apache.commons:commons-lang3:3.8.1
-org.apache.logging.log4j:log4j-api:2.11.0
-org.apache.logging.log4j:log4j-core:2.11.0
 org.apache.maven:maven-artifact:3.6.2
 org.apache.maven:maven-builder-support:3.6.2
 org.apache.maven:maven-model-builder:3.6.2

java_common.gradle

@@ -64,6 +64,8 @@ configurations {
     it.exclude group: 'org.mockito', module: 'mockito-core'
   }
   all.each {
+    // log4j has high-profile security vulnerabilities. It's a transitive dependency used by some
+    // Apache Beam packages. Excluding it does not impact our troubleshooting needs.
     it.exclude group: 'org.apache.logging.log4j'
   }
 }