Finding Log4j – Analysis Of Maven Repositories And Projects

Finding Log4j – Analysis Of Maven Repositories And Projects

Keine Kommentare zu Finding Log4j – Analysis Of Maven Repositories And Projects

On Friday, 10 Dec 2021, a serious vulnerability of the wide spread logging framework Log4j has been reported, see CVE-2021-45046. This blog post describes how jQAssistant may assist you in detecting applications or modules that make use of the framework.

This post describes different approaches taking different sources of information:

Tip: In case you need a helping hand with the described setups or interpreting/refining the results just drop us a message: jqassistant (at)

Analysis of a Maven Repository

jQAssistant allows scanning of artifact repositories like Nexus or Artifactory to analyze not just a single project but a whole application landscape. We have (nearly) everything prepared for you to get started:

Now you can kick off the scan and analysis from your command line:

mvn verify -Drepo.url=http://host:8080/nexus/content/repositories/my-repo*:*:*"

The property repo.url should point to a hosted repository or repository group which contains your artifacts. The additional property repo.filter takes a comma separated list of Maven artifact patterns and allows filtering for the artifacts which you are interested in, usually you’ll use the groupId of your organization.

The scan will take some time, analysis is executed directly after the scan has finished.

Two CSV reports will be created in the folder target/jqassistant/report/csv:

  • log4j-repository-analysis_DirectLog4jDependencies: The projects declaring a direct dependency to log4j artifacts.
  • log4j-repository-analysis_TransitiveLog4jDependencies: The projects having a direct or indirect dependency to log4j artifacts.

The provided information should help you in identifying affected Maven projects.

Analysis of a Maven Reactor

You can check the dependencies of a (large) Maven Reactor using jQAssistant. Therefore execute the following steps:

mvn install -DskipTests
mvn com.buschmais.jqassistant:jqassistant-maven-plugin:1.11.1:scan -DuseExecutionRootAsProjectRoot
mvn com.buschmais.jqassistant:jqassistant-maven-plugin:1.11.1:server -DuseExecutionRootAsProjectRoot

You can now open your web browser using the url http://localhost:7474 and select „No Authentication“ if prompted by Neo4j.

Now just execute the following query:

  and log4j.fqn starts with "org.apache.logging.log4j:"
  artifact.fqn, collect(log4j.fqn)

Analysis of a EAR/WAR/JAR files

If you have a collection of EAR, WAR or JAR files in a directory then jQAssistant may help to verify if they contain affected log4j libraries.
First download the latest Command Line Distribution and unpack it. Then execute the following command:

jqassistant-commandline-neo4jv3\bin\jqassistant.cmd scan -f <path to folder containing Java artifacts>
jqassistant-commandline-neo4jv3/bin/ scan -f <path to folder containing Java artifacts>

The specified path can either be a Java artifact or a folder containing a collection of such files. jQAssistant will automatically pick up the artifacts (even if they are contained in ZIP or tar.gz archives), extract nested artifacts if necessary until it encounters Java classes. After the scan has finished you can start the embedded Neo4j server:

// Windows
jqassistant-commandline-neo4jv3\bin\jqassistant.cmd server
// Linux
jqassistant-commandline-neo4jv3/bin/ server

Open your web browser using the url http://localhost:7474 and select „No Authentication“ if prompted by Neo4j.

Now run the following query:

  pomProperties.fileName ends with "/"
  [n in nodes(path)| n.fileName] as Path, version.value as Version

The result contains the path to all artifacts (including those which are nested within other artifacts, e.g. EAR, WAR or fat JAR files) including the detected version of log4j:

Tip: If you encounter an OutOfMemoryError during scan or analysis set the environment variable JQASSISTANT_OPTS, e.g.

// Windows
// Linux

About the author:


Leave a comment

Back to Top