13

Due to the Log4Shell vulnerability I would like to search and find out if my Java project is implementing Log4j directly or by dependencies, and which version.

I have, for example, projects with these dependency management tools:

  1. Maven project
  2. Apache Ivy project
  3. Old legacy project without any dependency management

How can I do this on these types of dependency management tools?

Details about the vulnerability (including mitigation steps):

CVE-2021-44228

Apache Log4j Security Vulnerabilities

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Jokkeri
  • 1,001
  • 1
  • 13
  • 35
  • check the dependency tree for dependencies. check your code. – Stultuske Dec 13 '21 at 08:05
  • 1
    See a few places to check [here](https://stackoverflow.com/questions/70315727/where-to-put-formatmsgnolookups-in-log4j-xml-config-file/70315976#70315976) on top of development areas – DuncG Dec 13 '21 at 13:24

3 Answers3

6

You may run Maven dependency tree from the command line inside your project:

mvn dependency:tree

In the output do a search for log4j. If you find it, it might mean that your project is either directly including log4j, or another dependency is including log4j as a transitive dependency.

Tim Biegeleisen
  • 502,043
  • 27
  • 286
  • 360
  • 1
    but keep in mind, having it as a dependency doesn't automatically mean you are using it. – Stultuske Dec 13 '21 at 08:21
  • 1
    @Stultuske Good point, but then again some tools such as SonarQube might not care, if they deem that even including the library poses a risk. – Tim Biegeleisen Dec 13 '21 at 08:28
  • @TimBiegeleisen, how do we be sure about library which does not show log4j in hierarchy tree but uses it internally. For example: https://mvnrepository.com/artifact/commons-logging/commons-logging/1.1.1 – Magnum23 Dec 13 '21 at 11:06
  • @Magnum23 If `commons-logging` uses `log4j` my understanding is that it should show up in the dependency tree. – Tim Biegeleisen Dec 13 '21 at 11:08
  • @TimBiegeleisen `commons-logging` seems to have `log4j` dependency as **optional**, so I think developer has to explicitly declare it... – Jokkeri Dec 13 '21 at 11:52
4

If you use Maven and Linux, you can run:

mvn dependency:tree | grep log4j

This will check your dependencies and show results only if you have Log4j as a dependency.

And if it is a transitive dependency, and you want to check the dependency it came from, you can use:

mvn dependency: tree | grep -B20 log4j

It will show 20 lines before Log4j on the screen. If you still can't see the main dependency where it comes from, you can increase from 20 to 50, and so on until you find it.

KKKK
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Marcos Echagüe
  • 547
  • 2
  • 8
  • 21
2

So far I'm satisfied what Syft and Grype provide. These tools list all code dependencies of a given Docker image or a directory containing code - independent of the stack! Easy setup and quick execution.

It's Java-independent though and more generic than your specific question for a Maven-based solution. So it is up to you if it's of use or not.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
steffres
  • 230
  • 2
  • 11
  • These seems really interesting, not only finding the log4j but in broader use - integrated as part of a CI/CD pipeline... – Jokkeri Dec 14 '21 at 06:28