Identifying apps using vulnerable log4j using Eze

by Anthony McKale

With so many software projects depending on a large number of external modules, having a quick way to detect what’s in use and what is vulnerable as part of a DevOps pipeline is vital.

The recent log4shell vulnerability in log4j is just one example of a common issue facing software developers.

Here’s our quick guide on how to use Eze to detect if your software project is using a vulnerable version of log4j.

How to run eze against a java project –

Step 1) install java and docker

Step 2) in your command line go to where your project pom.xml is located

Step 3) run eze docker –

docker pull riversafe/eze-cli:latest

docker run -v DIRECTORY:/data riversafe/eze-cli test

Main output showing critical issue in java dependency

Step 4) More information is printed below on the vulnerabilities found, and a machine readable eze-report.json is generated for CI systems

json output showing detail for log4j and related vulnerabilities

You can find more on Eze here –

https://hub.docker.com/r/riversafe/eze-cli

https://github.com/RiverSafeUK/eze-cli

By Anthony McKale

Book a consultation

Arrange a cyber security or data operations consultation with the RiverSafe team today.