Identifying log4j in apps using Eze

Anthony McKale

Identifying log4j if it’s part of your software project

With so many software projects depending on a large number of external modules, having a quick way to detect what’s in use and what is vulnerable as part of a DevOps pipeline is vital.  This article shows how to go about identifying log4j if it’s part of one of your software projects.

The recent log4shell vulnerability in log4j is just one example of a common issue facing software developers.

Here’s our quick guide on how to use Eze to detect if your software project is using a vulnerable version of log4j.

How to run eze against a java project –

Step 1) install java and docker

Step 2) in your command line go to where your project pom.xml is located

Step 3) run eze docker –

docker pull riversafe/eze-cli:latest

docker run -v DIRECTORY:/data riversafe/eze-cli test

Main output showing critical issue in java dependency

Step 4) More information is printed below on the vulnerabilities found, and a machine readable eze-report.json is generated for CI systems

json output showing detail for log4j and related vulnerabilities

You can find more on Eze here –