Rule to detect vulnerable use of Log4J library (CVE-2021-44228)?

Would it be possible to create a custom Java rule that can properly detect this on SonarQube code scans?

1 Like

Hello @mcoder,

I moved your question out the main Log4J thread so it’s simpler to answer you.

I’ve just posted an answer here with details of what SonarQube can do to help.


Hi @Alexandre_Gigleux,

What about using the “Track uses of disallowed dependencies”?

You can create a pattern to detect if your project is using the vulnerable dependency in your pom.xml.

I know it is just for Java projects using Maven and I know it may not detect all the transitive dependencies but it may help.

What do you think? Does it make sense?

Thanks and best regards.

Hello @acalero,

It makes sense as a first level of defense to detect in your entire SonarQube instance the Java/Maven projects which directly reference the vulnerable versions of log4j2.



You can also use the dependency check plugin.