1 |
On Wed, Dec 15, 2021, 15:40 William Kenworthy <billk@×××××××××.au> wrote: |
2 |
|
3 |
> I was reading up on log4j and its recent problems and discovered it can |
4 |
> "hide" layers deep inside java jar files depending on how its used. |
5 |
> |
6 |
> I can see that dev-embedded/arduino includes log4j directly (and does it |
7 |
> embed log4j in code produced for IoT?): |
8 |
> |
9 |
> rattus ~ # locate *.jar|grep 4j |
10 |
> /usr/share/arduino/lib/log4j-api-2.12.0.jar |
11 |
> /usr/share/arduino/lib/log4j-core-2.12.0.jar |
12 |
> /usr/share/arduino/lib/slf4j-api-1.7.22.jar |
13 |
> /usr/share/arduino/lib/slf4j-simple-1.7.22.jar |
14 |
> rattus ~ # |
15 |
> |
16 |
> BUT there are a lot of other jar files on my systems which have log4j |
17 |
> embedded in it. |
18 |
> |
19 |
These are likely coming in as transitive dependencies from other |
20 |
dependencies that might be shaded. Any dependencies pulling log4j need to |
21 |
updated. Easier said than done obviously. |
22 |
|
23 |
> Sylf (not in portage that I can see) seems like it can build an SBOM for a |
24 |
> target (Software Bill of Materials) that could identify deeply embedded |
25 |
> log4j instances - has anyone used this on a gentoo system (it looks like it |
26 |
> needs to specifically target a distro) or is there something |
27 |
> easier/better? "strings|grep log4j" works on the arduino jar files but |
28 |
> that wont work on propriety encrytpted jar files (such as propriety apps |
29 |
> where it may likely be used). And is doing just jar files enough? |
30 |
> |
31 |
> BillK |
32 |
> |
33 |
> ** try something like 'find /opt /lib64 /usr/share -name *.jar -print |
34 |
> -exec strings {} \; |grep log4j' |
35 |
> |