{"id":31770031,"url":"https://github.com/jfrog/log4j-tools","last_synced_at":"2025-10-10T02:56:31.761Z","repository":{"id":45311682,"uuid":"438217910","full_name":"jfrog/log4j-tools","owner":"jfrog","description":null,"archived":false,"fork":false,"pushed_at":"2025-02-13T20:24:13.000Z","size":44734,"stargazers_count":168,"open_issues_count":0,"forks_count":28,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-02-13T20:34:33.784Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jfrog.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-14T10:55:24.000Z","updated_at":"2025-02-13T20:24:17.000Z","dependencies_parsed_at":"2022-09-01T22:23:14.729Z","dependency_job_id":null,"html_url":"https://github.com/jfrog/log4j-tools","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jfrog/log4j-tools","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Flog4j-tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Flog4j-tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Flog4j-tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Flog4j-tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jfrog","download_url":"https://codeload.github.com/jfrog/log4j-tools/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Flog4j-tools/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279002512,"owners_count":26083403,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-10T02:00:06.843Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-10T02:56:25.418Z","updated_at":"2025-10-10T02:56:31.752Z","avatar_url":"https://github.com/jfrog.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# log4j-tools\n\n### Quick links\n\nClick to find:\n\n| [Inclusions of `log4j2` in compiled code](#scan_jndimanager_versionspy) | [Calls to `log4j2` in compiled code](#scan_log4j_calls_jarpy) | [Calls to `log4j2` in source code](#scan_log4j_calls_srcpy) |\n| ------------------------------------------------------------ | ------------------------------------------------------------ | ----------------------------------------------------------- |\n| [Sanity check for env mitigations](#env_verifyjar)           | [Applicability of CVE-2021-45046](#scan_cve_2021_45046_config) | [Xray wrapper for Log4Shell](#log4shell_xray_wrapper)       |\n| [Automatically patch container images in Artifactory](patch_rt_container_registry_repos/python/README.md) |                                                              |                                                             |\n\n### Overview\n\nCVE-2021-44228 poses a serious threat to a wide range of Java-based applications. The important questions a developer may ask in this context are:\n\n### 1. Does my code include `log4j2`?\n\nDoes the released code include `log4j2`? Which version of the library is included there? Answering these questions may not be immediate due to two factors:\n\n1) Transitive dependencies: while `log4j2` may not be in the direct dependency list of the project, it may be used indirectly by some other dependency.\n\n2) The code of this library may not appear directly as a separate file (i.e., `log4j2-core-2.xx.0.jar`), but rather be bundled in some other code jar file.\n\nJFrog is releasing a tool to help resolve this problem: [`scan_log4j_versions`](#scan_log4j_versionspy). The tool looks for the **class code** of `JndiManager`  and `JndiLookup` classes **(regardless of containing `.jar` file names and content of `pom.xml` files)**, and attempts to fingerprint the versions of the objects to report whether the included version of `log4j2` is vulnerable. Both Python and Java implementations are included.\n\n### 2. Where does my code use `log4j2`? \n\nThe question is relevant for the cases where the developer would like to verify if the calls to log4j2 in the codebase may pass potentially attacker-controlled data. While the safest way to fix the vulnerability, as discussed in the advisories, is to apply the appropriate patches and global flags, controlling for and verifying the potential impact under assumption of unpatched `log4j2` may be valuable in many situations. In order to address this problem JFrog is releasing two scripts:\n\n1. [`scan_log4j2_calls_src.py`](#scan_log4j_calls_srcpy), which locates calls to log4j2 logging functions (info, log, error etc.) with non-constant arguments in *.java source files* and reports the findings on the level of source file and line\n2. [`scan_log4j2_calls_jar.py`](#scan_log4j_calls_jarpy), which locates the calls to logging functions in *compiled .jar*s, and reports the findings as class name and method names in which each call appears.\n\n### 3. Am I configuring this correctly?\n\nDue to the high risk associated with the vulnerability, developers relying on mitigations may want to double check that the environment was indeed configured correctly (which Java runtime actually runs the application? Were environment and command line flags set correctly?). In order to simplify this sanity check, JFrog is releasing a few tools. The tools are intended to run in the same environment as a production application.\n\n* [env_verify.jar](#env_verifyjar) will validate the proper application of mitigations against CVE-2021-44228.\n* [scan_cve_2021_45046_config](#scan_cve_2021_45046_config) will validate the `log4j2` configuration does not allow for exploitation of CVE-2021-45046.\n\n------\n\n## Usage instructions\n\n### `scan_log4j_versions.py`\n\nThe tool requires Python 3, without additional dependencies.\n\n##### Usage\n\n```\npython scan_log4j_versions.py root-folder [-quiet] [-exclude folder1 folder2 ..]\n```\n\nIf python3 is not available, python2 ported version can be used:\n\n```\npython2 scan_log4j_versions_p2.py root-folder [-quiet] [-exclude folder1 folder2 ..]\n```\n\nThe tool will scan `root_folder` recursively for `.jar` and `.war` files; in each located file the tool looks for a `*log4j/core/net/JndiManager.class` and  `*log4j/core/lookup/JndiLookup.class` (recursively in each `.jar` file). If at least one of the classes is found, the tool attempts to fingerprint its version (including some variations found in patches and backport patches) in order to report whether the code is vulnerable.\n\nWith `-quiet` flag, only log4j version conclusions are printed out, and other messages (files not found/ archives failed to open/ password protected archives) are muted.\n\nFolders appearing after `-exclude` (optional) are skipped.\n\n\u003cimg src=\"img/jndi_manager_results.PNG\" style=\"zoom:33%;\" /\u003e\n\nTo reiterate, the results depend on the code of the classes rather than file names and the metadata. Files where both `JndiManager` and `JndiLookup` classes are not present (and hence are not vulnerable to CVE-2021-44228), like `log4j-1.x.xx.jar`, or `log4j-api-2.xx.x.jar`, do not appear in the results. Otherwise, vulnerability status and estimated version/patch status are displayed. When the versions of the two classes follow a pattern not accounted for, `inconsistent` is reported; this result should be investigated further.\n\n#### Currently recognized log4j versions:\n\n| Vulnerable           | Mitigated | Fixed                                                        |\n| -------------------- | --------- | ------------------------------------------------------------ |\n| `2.0`, `2.1 .. 2.14` | `2.15`    | `2.12.2`, `2.16`, `2.17` ,`JndiLookup removed`; patched versions `2.17.1`, `2.3.2`, `2.12.4` classified as `2.17` |\n\nSupported archive extensions: jar, war, ear, sar, par, zip.\n\n------\n\n### `scan_log4j_versions.jar`\n\nCompiled jar can be downloaded from [here](https://releases.jfrog.io/artifactory/log4j-tools/0.0.11/scan_log4j_versions.jar) or [compiled](#compiling-scan_log4j_versionsjar-from-source) from source.\n\nThe tool requires java runtime, without additional dependencies. \n\n##### Usage\n\n```\njava -jar scan_jndimanager_versions.jar root-folder\n```\n\nThe operation and displayed results are equivalent to the [Python version](#scan_log4j_versionspy).\n\n------\n\n### `scan_log4j_calls_jar.py`\n\nThe tool requires python 3 and the following 3rd party libraries: `jawa`, `tqdm`, `easyargs`, `colorama`\n\n##### Dependencies installation\n\n```\npip install -r requirements.txt\n```\n\n##### Usage\n\nThe default use case:\n\n```\npython scan_log4j_calls_jar.py root-folder\n```\n\nwill recursively scan all `.jar` files in `root-folder`, for each printing out locations (class name and method name) of calls to `info`/`warn`/`error`/`log`/`debug` /`trace`/`fatal` methods of `log4j2.Logger`. \n\nThe tool may be configured for additional use cases using the following command line flags.\n\n| Flag                  | Default value        | Use                                                          |\n| --------------------- | -------------------- | ------------------------------------------------------------ |\n| `--class_regex`       | .*log4j/Logger       | Regular expression for required class name                   |\n| `--method_regex`      | [^1]                 | Regular expression for required method name                  |\n| `--quickmatch_string` | log4j                | Pre-condition for file analysis: .jar files not containing the specified string will be ignored |\n| `--class_existence`   | Not set              | When not set, look for calls to class::method as  specified by regexes. When set, `--method_regex` is ignored, and the tool will look for *existence* of classes specified by `--class_regex` in the jar. |\n| `--no_quickmatch`     | Not set              | When set, the value of `--quickmatch_string` is ignored and all jar files are analyzed |\n| `--caller_block`      | .*org/apache/logging | If caller class matches this regex, it will *not* be displayed |\n\nFor example, \n\n```\npython scan_log4j_calls_jar.py --class_regex \".*JndiManager$\" --class_existence --no_quickmatch root-folder\n```\n\nWill scan all `.jar` files (even if they do have no mentions of `log4j2`) for the existence of a class ending with `JndiManager`. \n\nTypical results output looks like this:\n\n\u003cimg src=\"img/scan_log4j_jar.PNG\" style=\"zoom:33%;\" /\u003e\n\n------\n\n### `scan_log4j_calls_src.py`\nThe tool requires python 3 and the following 3rd party libraries: `javalang`, `tqdm`, `easyargs`, `colorama`\n\n##### Dependencies installation\n\n```\npip install -r requirements.txt\n```\n\n##### Usage\n\nThe default use case:\n\n```\npython scan_log4j_calls_src.py root-folder\n```\n\nwill recursively scan all `.java` files in `root-folder`, for each printing out the locations (file name and corresponding code lines) of calls to `log4j2` logging methods. \n\nThe tool may be configured for additional use cases using the following command line flags:\n\n| Flag             | Default value                   | Use                                         |\n| ---------------- | ------------------------------- | ------------------------------------------- |\n| `--class_regex`  | org/apache/logging/log4j/Logger | Regular expression for required class name  |\n| `--method_regex` | [^1]                            | Regular expression for required method name |\n\nTypical output looks like this:\n\n\u003cimg src=\"img/scan_log4j_src.PNG\" style=\"zoom:33%;\" /\u003e\n\n------\n\n### `env_verify.jar`\n\nCompiled jar can be downloaded from [here](https://releases.jfrog.io/artifactory/log4j-tools/0.0.5/env_verify.jar) or [compiled](#compiling-env_verifyjar-from-source) from source, and does not require additional dependencies.\n\n#### Usage\n\nThe intended use is running the tool in the same setting precisely as the production application. For example, for the original launch line in the start-up script:\n\n```shell\neval \"\\\"${JAVA_CMD}\\\" ${VMARG_LIST} application ${CLASSNAME} ${ARGS[@]}\" \u0026\u003e/dev/null \u0026\n```\n\nWe add the following to the script:\n\n```shell\neval \"\\\"${JAVA_CMD}\\\" ${VMARG_LIST} -jar env_verify.jar\" \u003e /tmp/env_verify\n```\n\nAnd read the result after the start-up script completes:\n\n\u003cimg src=\"img/env_verify_results.PNG\" style=\"zoom: 33%;\" /\u003e\n\n------\n\n### `scan_cve_2021_45046_config`\n\n##### Dependencies\n\nPython version requires installing dependencies:\n\n```\npip install -r requirements.txt\n```\n\n\n\n##### Usage\n\nJar version can be [compiled](#compiling-scan_cve_2021_45046_configjar-from-source) from source or downloaded from [here](https://releases.jfrog.io/artifactory/log4j-tools/0.0.8/scan_cve_2021_45046_config.jar).\n\n```\npython scan_cve_2021_45046_config.py root-folder\n```\n\nor\n\n```\njava -jar scan_cve_2021_45046_config.jar root-folder\n```\n\nWill recursively scan `root-folder` and all archive files in it, looking for probable log4j configuration files (`xml`, `yml`, `properties`,`json`), in each looking for [configuration options](https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/#appendix-c) which may enable an attacker to exploit CVE-2021-45046.\n\nPlease note that an \"applicable\" result only means that the configuration **may** be problematic and should be inspected.\n\nA \"non-applicable\" result is more conclusive, and means the configuration does not contain even the basic (publicly known) options for the exploitation of CVE-2021-45046.\n\n------\n\n### `log4shell_xray_wrapper`\n\n##### Dependencies\n\nPython version requires installing dependencies:\n\n```bash\npip install -r requirements.txt\n```\n\nIn addition, the following tools must be available in your `PATH`:\n\n* [JFrog CLI](https://www.jfrog.com/confluence/display/CLI/JFrog+CLI#JFrogCLI-Downloadandinstallation) 2.6.2 or later (either `jfrog` or `jf`) - [configured](https://www.jfrog.com/confluence/display/CLI/JFrog+CLI#JFrogCLI-JFrogPlatformConfiguration) with an \"Xray URL\"\n* Either [maven](https://maven.apache.org/download.cgi) or [gradle](https://gradle.org/install/) (according to the project you are planning to scan)\n\n\n\n##### Usage\n\nJar version can be [compiled](#compiling-log4shell_xray_wrapperjar-from-source) from source or downloaded from [here](https://releases.jfrog.io/artifactory/log4j-tools/0.0.12/log4shell_xray_wrapper-all.jar).\n\n```\njava -jar log4shell_xray_wrapper.jar [--recurse] [--verbose] target_dir\n```\n\nor running the Python version:\n\n```bash\npython log4shell_xray_wrapper.py [--recurse] [--verbose] target_dir\n```\n\nThe tool looks for Maven and Gradle projects , either directly at `target_dir` or (if `--recurse` is specified) in any child directory of `target_dir`.\n\nAny detected project will be scanned using Xray (via the JFrog CLI), and results will be filtered to show only the Log4Shell vulnerabilities:\n\n* CVE-2021-44228\n* CVE-2021-45046\n* CVE-2021-45105\n\n\n\n------\n\n### Compiling `scan_log4j_versions.jar` from source\n\n```\ncd scan_log4j_versions/java\ngradle build\ncp build/libs/scan_log4j_versions.jar ..\n```\n\n------\n\n### Compiling `env_verify.jar` from source\n\n```\ncd env_verify/java\ngradle build\ncp build/libs/env_verify.jar ..\n```\n\n------\n\n### Compiling `scan_cve_2021_45046_config.jar` from source\n\n```\ncd scan_cve_2021_45046_config/java\ngradle build\ncp build/libs/scan_cve_2021_45046_config.jar ..\n```\n\n------\n\n### Compiling `log4shell_xray_wrapper.jar` from source\n\n```\ncd log4shell_xray_wrapper/java\ngradle shadowJar\ncp build/libs/log4shell_xray_wrapper-all.jar ..\n```\n\n------\n\n\n[^1]: (info\u0026#124;warn\u0026#124;error\u0026#124;log\u0026#124;debug\u0026#124;trace\u0026#124;fatal\u0026#124;catching\u0026#124;throwing\u0026#124;traceEntry\u0026#124;printf\u0026#124;logMessage)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjfrog%2Flog4j-tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjfrog%2Flog4j-tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjfrog%2Flog4j-tools/lists"}