Featured image of post Detect Log4j vulnerabilities in your project

Detect Log4j vulnerabilities in your project

How to tell if your Gradle or Maven applications use a Log4j version effected by CVE-2021-44228 and/or CVE-2021-45046

Both, CVE-2021-44228 and CVE-2021-45046 are serious security issues and developers might not even know if there project are effected!

After my last post, some Java developers reached out to me and asked me how to detect an effected version of the Log4j library. Well I’m not a Java Developer but if you are using Gradle or Maven, the following snippets might help you.

Gradle has dependency insight report with dependencyInsight, and the usage is very simple:

gradle -q dependencyInsight --dependency org.apache.logging.log4j --configuration scm

Please read the documentation, to ensure you use it correctly.

Maven has the Maven Dependency Plugin, what makes it also very simple to get a dependency report:

mvn dependency:tree -Dincludes=org.apache.logging.log4j

Please make sure to read the usage page on the Maven site for how to install and use the Dependency Plugin.

But again: I’m not a Java expert!