Can SonarQube detect code that used the Log4J2 in a way that is vulnerable?

Can or could SonarQube detect code that uses Log4J in a way that is vulnerable?

Hello,

The log4j2 vulnerability (CVE-2021-44228) being a hot topic these days, we were also interested internally to understand how SonarQube could help.

SonarQube can’t detect the vulnerability in itself when analyzing just the log4j2 code because it’s a library which by definition doesn’t contain any user input.

SonarQube can detect if a user input reaches a log4j2 API such as logger.info(tainted) and raise a RCE vulnerability issue. For that, you need to use the following custom configuration (only available with SonarQube Enterprise Edition+):

{
  "sinks": [
   {
     "methodId": "org.apache.log4j.Category#",
     "isMethodPrefix": true,
     "interval": {
       "fromIndex": 1
     }
   },
   { 
     "methodId": "org.apache.logging.log4j.Logger#",
     "isMethodPrefix": true,
     "interval": {
       "fromIndex": 1
     }
  }
 ]
}

When scanning the vulnerable app GitHub - christophetd/log4shell-vulnerable-app: Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell. with the above configuration as parameter of the scan with -Dsonar.security.sinks.javasecurity.S5334=./log4jmethodids.json, you get the expected vulnerability:

This configuration will generate FPs in case you are already using the latest patched version of log4j2.

Now, even if you detect such problems in your code, the mitigation would be painful to put in place. You’d need to update your code like this:

logger.info("%m{nolookups}", tainted);

Overall, the best solution is to upgrade your dependency to the latest patch provided by the Apache Log4j people (2.12.2 or 2.16 as of writing).

Alex

6 Likes

Hi team,
Hope you are doing well.

I was scanning some java based apps and we notice that Log4J (CVE-2021-44228) is not being detected.
It’s not appearing in the issues/Vulnerability.
But dependency check detected it in another view.
Is there something i need to activate?

2 Likes

Hello @hermanmaleiane,

Yes, you have to make sure that DependencyCheck produces a JSON in addition to the HTML (your screenshot). This is typically by adding the property formats=HTML,JSON.
For a Maven project that would be in the POM, fro gradle elsewhere

<plugin>
          <groupId>org.owasp</groupId>
          <artifactId>dependency-check-maven</artifactId>
          <version>6.5.2</version>
          <configuration>
            <formats>XML,HTML,JSON</formats>
          </configuration>
          <executions>
            <execution>
              <goals>
                <goal>check</goal>
              </goals>
            </execution>
          </executions>
</plugin>

Check out this sample project: GitHub - okorach/log4shell-detect
And as a result… tada !

5 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.