TLDR: Download the OSS Log4j Vulnerability Scanning Tools from the JFrog GitHub repository to assess potential Log4j vulnerabilities in your source code or binaries
It is estimated that half of all global enterprises have been impacted by the Log4j vulnerability and the numbers of affected companies is on the rise every day. JFrog’s Security Research team has created a new set of tools that help developers scan their software for identified vulnerabilities in Log4j. These tools - available in Java and Python, quickly scan and flag if Log4j is present in active software the company uses.
“The Log4j vulnerability has set the enterprise software landscape on fire due to its widespread usage as a component across the software supply chain, making it difficult to rapidly pinpoint and remediate,” said Asaf Karas, CTO of JFrog Security Research. “In times of crisis open-source tools allow community collaboration and contributions to collectively solve immediate and long-term security issues, which is why we’re proud to release these tools today."
JFrog’s flagship product, Artifactory has a build info component built into the tool that gives users full traceable information that describes all the details about the build. Xray takes this a step forward and scans the build to identify open source dependencies and any known vulnerabilities. The addition of these new OSS Log4j vulnerability scanning tools extends our ability to help our customers and the community secure the software supply chain. The tools perform specialized scans to detect the presence of Log4j through direct or indirect (transitive) dependencies, including instances where Log4j does not appear as a separate file, but is bundled inside a larger software package and harder to detect.
To stay up-to-date on the latest about Log4j please read our technical resource blog:(https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/)[Log4Shell 0-Day Vulnerability: All You Need To Know].