Skip to content

whitesource/log4j-detect-distribution

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits

.github/workflows

.github/workflows

 
 

cmd

cmd

 
 

fs

fs

 
 

hash

hash

 
 

operations

operations

 
 

records

records

 
 

screening

screening

 
 

supplements

supplements

 
 

utils

utils

 
 

.gitignore

.gitignore

 
 

.goreleaser.yml

.goreleaser.yml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

Repository files navigation

Log4jDetect

WhiteSource Log4j Detect is a free CLI tool that quickly scans your projects to find vulnerable Log4j versions containing the following known CVEs:

  • CVE-2021-45046
  • CVE-2021-44228
  • CVE-2021-4104
  • CVE-2021-45105
  • CVE-2021-44832
  • CVE-2020-9488
  • CVE-2020-9493
  • CVE-2022-23302
  • CVE-2022-23305
  • CVE-2022-23307

It provides the exact path to direct and indirect dependencies, along with the fixed version for speedy remediation.

The supported packages managers are:

  • gradle
  • maven
  • bundler

In addition, the tool will search for vulnerable files with the .jar,.gem extensions.

Prerequisites:

  • Download the log4j-detect binary based on your OS platform (see installation steps below)

NOTE

  1. For mac users, if the following message appears: "log4j-detect can't be opened because Apple cannot check it for malicious software", please follow the steps described here

  2. The relevant binaries must be installed for the scan to work, i.e:

    • gradle if the scanned project is a gradle project (contains a settings.gradle or a build.gradle file)
    • mvn if the scanned project is a maven project (contains a pom.xml file)
    • ruby/jruby and gem/jgem if the scanned project is a bundler project (contains a Gemfile.lock/gems.locked file)

  3. Building the projects before scanning will improve scan time and reduce potential scan errors

    • maven projects must be built prior to scanning, e.g. with the following command:

      mvn install

    • bundler projects must be built prior to scanning, e.g. with the following command:

      jbundler install

    • It is not necessary to run gradle build prior to scanning a gradle project, but that will greatly decrease the scan time

Usage

In order to scan your project, simply run the following command:

log4j-detect scan -d PROJECT_DIR

The folder can include source code that uses supported package managers in the project, as well binaries with the supported extensions mentioned above. It may error if it's run in a location which has protected folders it cannot access, such as Windows system folders.

Installation

Linux

ARCH=amd64 # or ARCH=arm64
wget "https://github.com/whitesource/log4j-detect-distribution/releases/latest/download/log4j-detect-1.5.0-linux-$ARCH.tar.gz"
tar -xzvf log4j-detect-1.5.0-linux-$ARCH.tar.gz
chmod +x log4j-detect
./log4j-detect -h

Mac

ARCH=amd64 # or ARCH=arm64 
wget "https://github.com/whitesource/log4j-detect-distribution/releases/latest/download/log4j-detect-1.5.0-darwin-$ARCH.tar.gz"
tar -xzvf log4j-detect-1.5.0-darwin-$ARCH.tar.gz
chmod +x log4j-detect
./log4j-detect -h

Windows

Invoke-WebRequest -Uri "https://github.com/whitesource/log4j-detect-distribution/releases/latest/download/log4j-detect-1.5.0-windows-amd64.zip" -OutFile "log4j-detect.zip"
Expand-Archive -LiteralPath 'log4j-detect.zip'
cd log4j-detect
.\log4j-detect.exe -h

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

139 stars

Watchers

19 watching

Forks

25 forks
Report repository

Releases 7

log4j-detect-v1.5.0 Latest
Jan 19, 2022
+ 6 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages