Home > Enterprise >  Log4j - How to scan for log4j usages in maven projects along with project name?
Log4j - How to scan for log4j usages in maven projects along with project name?

Time:12-17

As part Log4jshell problem, we are trying to analyze which projects use which version of Log4j. I did try the following maven commands

mvn dependency:list | grep log4j
mvn dependency:tree -Dverbose
mvn dependency:tree -Dverbose | grep log4

But it lists information only like this

mvn dependency:tree | grep log4
[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.13.1:provided
[INFO]  - org.apache.logging.log4j:log4j-api:jar:2.13.1:provided
[INFO] |  |   - log4j:log4j:jar:1.2.16:compile
[INFO] |  |   - log4j:log4j:jar:1.2.16:compile
[INFO] |   - log4j:log4j:jar:1.2.17:provided
[INFO]  - log4j:log4j:jar:1.2.17:compile
[INFO]  - org.apache.logging.log4j:log4j-api:jar:2.13.1:compile
[INFO] \- org.apache.logging.log4j:log4j-core:jar:2.13.1:compile
[INFO]  - org.apache.logging.log4j:log4j-api:jar:2.13.1:compile
[INFO]  - org.apache.logging.log4j:log4j-core:jar:2.13.1:compile
[INFO]  - org.springframework.boot:spring-boot-starter-log4j2:jar:2.1.8.RELEASE:compile
[INFO] |   - org.apache.logging.log4j:log4j-slf4j-impl:jar:2.11.2:compile
[INFO] |   - org.apache.logging.log4j:log4j-jul:jar:2.11.2:compile
[INFO]  - org.springframework.boot:spring-boot-starter-log4j2:jar:2.1.8.RELEASE:compile

I cannot find which project in our workspace it points to. Can anyone please help on this?

Note: There are several maven projects and there is a parent pom.xml for all the pom.xml files. So want to identify which maven projects are using log4j along with the name.

CodePudding user response:

Use the includes option

 mvn dependency:tree -Dincludes=org.apache.logging.log4j

example output:

[INFO] com.test:test:jar:0.0.1-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-security:jar:2.5.3:compile
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.5.3:compile
[INFO]       \- org.springframework.boot:spring-boot-starter-logging:jar:2.5.3:compile
[INFO]          \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:compile
[INFO]             \- org.apache.logging.log4j:log4j-api:jar:2.14.1:compile

documentation

CodePudding user response:

Thanks for the answer. Yes it did answer to my question. I used the command like below and got the result.

mvn dependency:tree -Dincludes=org.apache.logging.log4j -DoutputFile=pwd/maven-report-log4j.txt -DappendOutput=true

  • Related