Identifying log4j if it’s part of your software project
With so many software projects depending on a large number of external modules, having a quick way to detect what’s in use and what is vulnerable as part of a DevOps pipeline is vital. This article shows how to go about identifying log4j if it’s part of one of your software projects.
The recent log4shell vulnerability in log4j is just one example of a common issue facing software developers.
Here’s our quick guide on how to use Eze to detect if your software project is using a vulnerable version of log4j.
How to run eze against a java project –
Step 1) install java and docker
Step 2) in your command line go to where your project pom.xml is located
Step 3) run eze docker –
docker pull riversafe/eze-cli:latest
docker run -v DIRECTORY:/data riversafe/eze-cli test
Step 4) More information is printed below on the vulnerabilities found, and a machine readable eze-report.json is generated for CI systems
You can find more on Eze here –