WhiteSource Releases Free Log4j Detection Tool
As the Log4j vulnerability continues to wreak havoc on the IT landscape, everyone is trying to prevent disaster from striking. A number of companies and development teams have released tools to help with the detection and remediation of the vulnerability. One such company is WhiteSource. Their new tool, Log4j Detect, is an open-source command-line utility that scans your projects to detect the following known CVEs:
- CVE-2021-45046
- CVE-2021-44228
- CVE-2021-4104
- CVE-2021-45105
Once the scan is complete, it will report back the exact path of the vulnerable files as well as the fixed version you'll need to remediate the issue. Log4j Detect should be run within the root directory of your projects and will also search for vulnerable files with both the .jar and .gem extensions. Log4j Detect supports the gradle, maven, and bundler package managers.
In order for Log4j Detect to run properly, you'll need to install either gradle (if the project is a gradle project) or mvn (if the project is a maven project). The developers have also indicated both maven and bundler projects must be built before scanning. Once you have Log4j Detect installed, the scan can be issued with the command log4j-detect scan -d PROJECT (Where PROJECT is the directory housing your project).
For more information about this tool, make sure to read through the project README.