winternett

Clone Git Repo... CTRL+F "log4j"... 0 results... (sigh of relief)... :|

benburleson

"A project with a footprint like Log4j is not possible to avoid as a transient dependency even if you don’t directly import it. Log4j is a canonical logging utility for a huge ecosystem. Its current radius is beyond doing due diligence." - @rakyll (AWS)

mateuszf

Yeah - for example to determine if log4j is used in a maven project one would have to run "mvn dependency:tree | grep log4j".

Which I did today for our 60 microservices.

And also for projects deployed as war files - container server libraries also have to be checked.

e12e
Ed: linked as "infoworld article" in TFA.

This article[1] probably seems like a bit of convenient self-promotion from Anchore - but the two tools grype and syft

https://github.com/anchore/grype

https://github.com/anchore/syft

Turned out to be very helpful in easily looking through folders, installed services (in particular an installed mobile device manager running on windows) and container images.

[1] https://www.infoworld.com/article/3644492/how-to-detect-the-...

Submitted to hn as: https://news.ycombinator.com/item?id=29543589 in case there's more discussion of tooling that might fit there.