Announcing Open Source Tool to Detect Log4J Vulnerability
Author: Sam Gleske, Staff Engineer, Integral Ad Science
IAS has created a new open source project on GitHub, dependency-deep-scan-utilities, which detects log4j vulnerabilities (CVE-2021–44228 and CVE-2021–45046) in source code. With the widespread use of log4j, it’s also easily exploitable to perform remote code execution which can impact many developers. IAS has open sourced this project to help developers everywhere mitigate the common log4shell vulnerability and increase security.
Dependency-deep-scan-utilities is a command line tool which can be run against source code. This tool goes through every Git repository and uses Maven and Gradle to find transitive usage of vulnerable log4j-core in order to detect when code is susceptible to the log4shell security vulnerability. Then, dependency-deep-scan-utilities takes the output of all scans and creates a CSV file including the project, log4j-core version, and Git clone URL, so that teams can easily organize and prioritize mitigation. This open source tool will allow for teams to identify vulnerable code, and prevent future log4j exploitations, therefore maintaining productivity and limiting the risk of a security incident.
See the dependency-deep-scan-utilities README for more information about the tool. We’d love to hear if this project has helped you. You can also find out more about open roles on our team at IAS here.