How can I check if my Java project uses Log4j and which version?

Question

Due to the Log4Shell vulnerability I would like to search and find out if my Java project is implementing Log4j directly or by dependencies, and which version.

I have, for example, projects with these dependency management tools:

1. Maven project
2. Apache Ivy project
3. Old legacy project without any dependency management

How can I do this on these types of dependency management tools?

Details about the vulnerability (including mitigation steps):

CVE-2021-44228

Apache Log4j Security Vulnerabilities

Answer 1

If you use Maven and Linux, you can run:

mvn dependency:tree | grep log4j

This will check your dependencies and show results only if you have Log4j as a dependency.

And if it is a transitive dependency, and you want to check the dependency it came from, you can use:

mvn dependency: tree | grep -B20 log4j

It will show 20 lines before Log4j on the screen. If you still can't see the main dependency where it comes from, you can increase from 20 to 50, and so on until you find it.

KKKK

Answer 2

So far I'm satisfied what Syft and Grype provide. These tools list all code dependencies of a given Docker image or a directory containing code - independent of the stack! Easy setup and quick execution.

It's Java-independent though and more generic than your specific question for a Maven-based solution. So it is up to you if it's of use or not.

Answer 3

You may run Maven dependency tree from the command line inside your project:

mvn dependency:tree

In the output do a search for log4j. If you find it, it might mean that your project is either directly including log4j, or another dependency is including log4j as a transitive dependency.