On Friday, 10 Dec 2021, a serious vulnerability of the wide spread logging framework Log4j has been reported, see CVE-2021-45046. This blog post describes how jQAssistant may assist you in detecting applications or modules that make use of the framework.

This post describes different approaches taking different sources of information:

• Maven Repository
• Maven Reactor
• EAR/WAR/JAR files (added on 20 Dec 2021)

Tip: In case you need a helping hand with the described setups or interpreting/refining the results just drop us a message: jqassistant (at) buschmais.com.

Analysis of a Maven Repository

jQAssistant allows scanning of artifact repositories like Nexus or Artifactory to analyze not just a single project but a whole application landscape. We have (nearly) everything prepared for you to get started:

• Clone the Maven project under https://github.com/jqassistant-tutorials/log4j-artifact-repository-analysis, it contains the required setup and rules for the reports
• Make sure the index of the repository to be scanned is enabled. You can verify this by checking the top level folder of the repository containing an entry .index (e.g. https://repo1.maven.org/maven2/.index/).

Now you can kick off the scan and analysis from your command line:

mvn verify -Drepo.url=http://host:8080/nexus/content/repositories/my-repo -Drepo.filter=com.my-company.*:*:*"

The property repo.url should point to a hosted repository or repository group which contains your artifacts. The additional property repo.filter takes a comma separated list of Maven artifact patterns and allows filtering for the artifacts which you are interested in, usually you’ll use the groupId of your organization.

The scan will take some time, analysis is executed directly after the scan has finished.

Two CSV reports will be created in the folder target/jqassistant/report/csv:

• log4j-repository-analysis_DirectLog4jDependencies: The projects declaring a direct dependency to log4j artifacts.
• log4j-repository-analysis_TransitiveLog4jDependencies: The projects having a direct or indirect dependency to log4j artifacts.

The provided information should help you in identifying affected Maven projects.

Analysis of a Maven Reactor

You can check the dependencies of a (large) Maven Reactor using jQAssistant. Therefore execute the following steps:

mvn install -DskipTests
mvn com.buschmais.jqassistant:jqassistant-maven-plugin:1.11.1:scan -DuseExecutionRootAsProjectRoot
mvn com.buschmais.jqassistant:jqassistant-maven-plugin:1.11.1:server -DuseExecutionRootAsProjectRoot

You can now open your web browser using the url http://localhost:7474 and select „No Authentication“ if prompted by Neo4j.

Now just execute the following query:

MATCH
  shortestPath((artifact:Main:Artifact)-[:DEPENDS_ON*]->(log4j:Artifact))
WHERE
  artifact<>log4j
  and log4j.fqn starts with "org.apache.logging.log4j:"
RETURN
  artifact.fqn, collect(log4j.fqn)

Analysis of a EAR/WAR/JAR files

If you have a collection of EAR, WAR or JAR files in a directory then jQAssistant may help to verify if they contain affected log4j libraries.
First download the latest Command Line Distribution and unpack it. Then execute the following command:

jqassistant-commandline-neo4jv3\bin\jqassistant.cmd scan -f <path to folder containing Java artifacts>
jqassistant-commandline-neo4jv3/bin/jqassistant.sh scan -f <path to folder containing Java artifacts>

The specified path can either be a Java artifact or a folder containing a collection of such files. jQAssistant will automatically pick up the artifacts (even if they are contained in ZIP or tar.gz archives), extract nested artifacts if necessary until it encounters Java classes. After the scan has finished you can start the embedded Neo4j server:

// Windows
jqassistant-commandline-neo4jv3\bin\jqassistant.cmd server
// Linux
jqassistant-commandline-neo4jv3/bin/jqassistant.sh server

Open your web browser using the url http://localhost:7474 and select „No Authentication“ if prompted by Neo4j.

Now run the following query:

MATCH
  (log4j:Artifact)-[:CONTAINS]->(:Type{fqn:"org.apache.logging.log4j.core.lookup.JndiLookup"}),
  path=shortestPath((root:File)-[:CONTAINS*]->(log4j))
WHERE NOT
  ()-[:CONTAINS]->(root)
OPTIONAL MATCH
  (log4j)-[:CONTAINS]->(pomProperties:Properties:File)-[:HAS]->(version:Value{name:"version"})
WHERE
  pomProperties.fileName ends with "/pom.properties"
RETURN
  [n in nodes(path)| n.fileName] as Path, version.value as Version

The result contains the path to all artifacts (including those which are nested within other artifacts, e.g. EAR, WAR or fat JAR files) including the detected version of log4j:

Tip: If you encounter an OutOfMemoryError during scan or analysis set the environment variable JQASSISTANT_OPTS, e.g.

// Windows
set JQASSISTANT_OPTS=-Xmx8G
// Linux
export JQASSISTANT_OPTS=-Xmx8G