We have enhanced the Snyk CLI with a new snyk log4shell command that will give you more visibility into your application, including being able to find traces of the vulnerable library even if it’s not declared in the manifest file.
The new command looks inside .jar and .war files to find Log4j or its parts. “Fat JARs” are supported as well.
With snyk log4shell you can scan a Java project to see if it includes:
- any .jar files with the vulnerable version of Log4j.
- any files known to be present in the vulnerable Log4j library. Such findings indicate that the whole Log4j library may be included.
Note: The new command does not require (or support) any additional command-line arguments.
For more details of using this command, see Find Log4Shell vulnerabilities in your unmanaged and shaded jars with the Snyk CLI.
See our Snyk CLI docs for more information.