To quickly determine which of your projects depend on the vulnerable versions of log4j, run these queries on Sourcegraph:
Gradle
org\.apache\.logging\.log4j' 2\.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(\.[0-9]+))
lang:gradle patterntype:regexp count:all
Search Query: Gradle
Mavin
<log4j\.version>2\.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(\.[0-9]+))</log4j\.version>
file:pom\.xml patterntype:regexp count:all
Search Query: Mavin
Ivy
org="org\.apache\.logging\.log4j".*rev="2\.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(\.[0-9]+))"
file:ivy\.xml patterntype:regexp count:all
Search Query: Ivy
SBT(Scala)
org.apache.logging.log4j" % "2.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(\.[0-9]+))
file:\.sbt$ patterntype:regexp count:all
Search Query: Scala
Bazel
org\.apache\.logging\.log4j: 2.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(\.[0-9]+))
lang:bazel patterntype:regexp count:all
Search Query: Bazel
Any file containing org.apache.logging.log4j followed by a vulnerable version number
org\.apache\.logging\.log4j 2.((0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)(\.[0-9]+))
patterntype:regexp count:all
Search Query: Any file containing org.apache.logging.log4j followed by a vulnerable version number
Search your organization’s private code
On Sourcegraph Cloud, run the queries linked above in your user search context (context:@username), after you’ve synced all of the org repositories you want to search (in Settings > Account > Your repositories).
On a self-hosted Sourcegraph instance, copy and paste those queries above into the search box on your instance. After pasting, ensure the .* (regexp search) button is on for queries that contain regular expressions.
In-depth Log4j 0-day fixes and mitigations
For in-depth info on Log4j Log4Shell 0-day, check out this excellent article on finding, fixing, and track affected codebase.
Conclusion
Finding and fixing vulnerabilities in your codebase can be challenging, but with the right tools, you can speed up the process and secure your codebase in minimal time.
Have suggestions or questions? Leave a comment, or join our Community Slack Space where our team will be happy to answer any questions you may have about Sourcegraph.
Top comments (0)