WhiteSource Log4j Detect is a free CLI tool that quickly scans your projects to find vulnerable Log4j versions containing the following known CVEs:
- CVE-2021-45046
- CVE-2021-44228
- CVE-2021-4104
- CVE-2021-45105
- CVE-2021-44832
It provides the exact path to direct and indirect dependencies, along with the fixed version for speedy remediation.
The supported packages managers are:
- gradle
- maven
- bundler
In addition, the tool will search for vulnerable files with the .jar
,.gem
extensions.
- Download the log4j-detect binary based on your OS platform (see installation steps below)
NOTE
-
For mac users, if the following message appears: "log4j-detect can't be opened because Apple cannot check it for malicious software", please follow the steps described here
-
The relevant binaries must be installed for the scan to work, i.e:
gradle
if the scanned project is a gradle project (contains asettings.gradle
or abuild.gradle
file)mvn
if the scanned project is a maven project (contains apom.xml
file)ruby
/jruby
andgem
/jgem
if the scanned project is a bundler project (contains aGemfile.lock
/gems.locked
file)
-
Building the projects before scanning will improve scan time and reduce potential scan errors
-
maven projects must be built prior to scanning, e.g. with the following command:
mvn install
-
bundler projects must be built prior to scanning, e.g. with the following command:
jbundler install
-
It is not necessary to run
gradle build
prior to scanning agradle
project, but that will greatly decrease the scan time
-
In order to scan your project, simply run the following command:
log4j-detect scan -d PROJECT_DIR
The folder can include source code that uses supported package managers in the project, as well binaries with the supported extensions mentioned above
ARCH=amd64 # or ARCH=arm64
wget "https://github.com/whitesource/log4j-detect-distribution/releases/latest/download/log4j-detect-1.4.0-linux-$ARCH.tar.gz"
tar -xzvf log4j-detect-1.4.0-linux-$ARCH.tar.gz
chmod +x log4j-detect
./log4j-detect -h
ARCH=amd64 # or ARCH=arm64
wget "https://github.com/whitesource/log4j-detect-distribution/releases/latest/download/log4j-detect-1.4.0-darwin-$ARCH.tar.gz"
tar -xzvf log4j-detect-1.4.0-darwin-$ARCH.tar.gz
chmod +x log4j-detect
./log4j-detect -h
Invoke-WebRequest -Uri "https://github.com/whitesource/log4j-detect-distribution/releases/latest/download/log4j-detect-1.4.0-windows-amd64.zip" -OutFile "log4j-detect.zip"
Expand-Archive -LiteralPath 'log4j-detect.zip'
cd log4j-detect
.\log4j-detect.exe -h