Due to to log4shell vulnerability I would like to search and find out if my Java project is implementing log4j directly or by dependencies, and which version.
I have eg. projects with these dependency management tools:
- Maven project
- Ivy project
- Old legacy project with no dependency management
How to do this on these types of dependency management tools?
Details about the vulnerability (including mitigation steps):
Apache Log4j Security Vulnerabilities
CodePudding user response:
You may run Maven dependency tree from the command line inside your project:
mvn dependency:tree
In the output do a search for log4j. If you find it, it might mean that your project is either directly including log4j, or another dependency is including log4j as a transitive dependency.
CodePudding user response:
So far I'm satisfied what https://github.com/anchore/syft and https://github.com/anchore/grype provide. These tools list all code dependencies of a given docker image or a directory containing code - independent of the stack! Easy setup and quick execution.
But I'm still looking further into it. Does anyone know better tools or shortcomings of these I've mentioned?