With so many software projects depending on a large number of external modules, having a quick way to detect what’s in use and what is vulnerable as part of a DevOps pipeline is vital.
The recent log4shell vulnerability in log4j is just one example of a common issue facing software developers.
Here’s our quick guide on how to use Eze to detect if your software project is using a vulnerable version of log4j.
How to run eze against a java project –
Step 1) install java and docker
Step 2) in your command line go to where your project pom.xml is located
Step 3) run eze docker –
docker pull riversafe/eze-cli:latest
docker run -v DIRECTORY:/data riversafe/eze-cli test
Step 4) More information is printed below on the vulnerabilities found, and a machine readable eze-report.json is generated for CI systems
You can find more on Eze here –