How to find log4j vulnerable dependencies quickly across your codebase

Prosper Otemuyiwa - Dec 14 '21 - - Dev Community

To quickly determine which of your projects depend on the vulnerable versions of log4j, run these queries on Sourcegraph:

Gradle

org\.apache\.logging\.log4j' 2\.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(\.[0-9]+))
lang:gradle patterntype:regexp count:all
Enter fullscreen mode Exit fullscreen mode

Search Query: Gradle

Mavin

<log4j\.version>2\.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(\.[0-9]+))</log4j\.version>
file:pom\.xml patterntype:regexp count:all
Enter fullscreen mode Exit fullscreen mode

Search Query: Mavin

Ivy

org="org\.apache\.logging\.log4j".*rev="2\.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(\.[0-9]+))"
file:ivy\.xml patterntype:regexp count:all
Enter fullscreen mode Exit fullscreen mode

Search Query: Ivy

SBT(Scala)

org.apache.logging.log4j" % "2.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(\.[0-9]+))
file:\.sbt$ patterntype:regexp count:all
Enter fullscreen mode Exit fullscreen mode

Search Query: Scala

Bazel

org\.apache\.logging\.log4j: 2.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(\.[0-9]+))
lang:bazel patterntype:regexp count:all
Enter fullscreen mode Exit fullscreen mode

Search Query: Bazel

Any file containing org.apache.logging.log4j followed by a vulnerable version number

org\.apache\.logging\.log4j 2.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(\.[0-9]+))
patterntype:regexp count:all
Enter fullscreen mode Exit fullscreen mode

Search Query: Any file containing org.apache.logging.log4j followed by a vulnerable version number

Search your organization’s private code

On Sourcegraph Cloud, run the queries linked above in your user search context (context:@username), after you’ve synced all of the org repositories you want to search (in Settings > Account > Your repositories).

On a self-hosted Sourcegraph instance, copy and paste those queries above into the search box on your instance. After pasting, ensure the .* (regexp search) button is on for queries that contain regular expressions.

In-depth Log4j 0-day fixes and mitigations

For in-depth info on Log4j Log4Shell 0-day, check out this excellent article on finding, fixing, and track affected codebase.

Conclusion

Finding and fixing vulnerabilities in your codebase can be challenging, but with the right tools, you can speed up the process and secure your codebase in minimal time.


Have suggestions or questions? Leave a comment, or join our Community Slack Space where our team will be happy to answer any questions you may have about Sourcegraph.

. . . . . . . . . . . . . . . . . . .