![]() ![]() Both of these tools are able to inspect multiple nested layers of JAR archives to uncover and identify versions of Log4j. Syft generates a software bill of materials (SBOM) and Grype is a vulnerability scanner. In this case being able to scan JAR files, especially nested layers of JAR files, is what we want. There are two open source tools led by Anchore that have the ability to scan a large number of packaged dependency formats, identify their existence, and report if they contain vulnerabilities. Just looking at the JARs your project pulls in directly may not be enough, since Log4j could be hiding inside of another JAR file! Scan for Log4j with open source tools This creates many layers that all need to be investigated. In some situations, one dependency pulls in hundreds of other dependencies making it even more difficult to find.Įssentially, in the Java world, you can have a JAR nested in a JAR nested in a JAR. It’s also possible for a JAR to contain another JAR to satisfy a dependency, which means a vulnerability can be hidden several levels down in your application. Commonly used tools, such as Maven and Gradle, can automatically add JAR files as you build your Java application. In the Java ecosystem, dependencies are distributed as Java archive (JAR) files, which are packages that can be used as a Java library. It’s possible you have Log4j hiding somewhere in your application and don’t even know it. The challenge here is finding Log4j because of the way Java packaging works. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |