From: | William Kenworthy <billk@×××××××××.au> |
---|---|
To: | "gentoo-user@l.g.o" <gentoo-user@l.g.o> |
Subject: | [gentoo-user] log4j |
Date: | Wed, 15 Dec 2021 23:40:14 |
Message-Id: | b5f49090-daa8-39a1-0a03-feca725a9c9f@iinet.net.au |
1 | |
2 | |
3 | |
4 | |
5 | |
6 | |
7 | I was reading up on log4j and its recent problems and discovered |
8 | it can "hide" layers deep inside java jar files depending on how |
9 | its used. |
10 | I can see that dev-embedded/arduino includes log4j directly (and |
11 | does it embed log4j in code produced for IoT?): |
12 | rattus ~ # locate *.jar|grep 4j |
13 | /usr/share/arduino/lib/log4j-api-2.12.0.jar |
14 | /usr/share/arduino/lib/log4j-core-2.12.0.jar |
15 | /usr/share/arduino/lib/slf4j-api-1.7.22.jar |
16 | /usr/share/arduino/lib/slf4j-simple-1.7.22.jar |
17 | rattus ~ # |
18 | |
19 | BUT there are a lot of other jar files on my systems which have |
20 | log4j embedded in it. |
21 | Sylf (not in portage that I can see) seems like it can build an |
22 | SBOM for a target (Software Bill of Materials) that could identify |
23 | deeply embedded log4j instances - has anyone used this on a gentoo |
24 | system (it looks like it needs to specifically target a distro) or |
25 | is there something easier/better?�� "strings|grep log4j" works on |
26 | the arduino jar files but that wont work on propriety encrytpted |
27 | jar files (such as propriety apps where it may likely be used).�� |
28 | And is doing just jar files enough? |
29 | |
30 | BillK |
31 | ** try something like 'find /opt /lib64 /usr/share -name *.jar |
32 | -print -exec strings {} \; |grep log4j' |
33 | |
34 | |
35 | |
36 | |
37 |
Subject | Author |
---|---|
Re: [gentoo-user] log4j | "Andrey F." <ma3oxuct@×××××.com> |