Would it be possible to create a custom Java rule that can properly detect this on SonarQube code scans?
I moved your question out the main Log4J thread so it’s simpler to answer you.
I’ve just posted an answer here with details of what SonarQube can do to help.
What about using the “Track uses of disallowed dependencies”?
You can create a pattern to detect if your project is using the vulnerable dependency in your pom.xml.
I know it is just for Java projects using Maven and I know it may not detect all the transitive dependencies but it may help.
What do you think? Does it make sense?
Thanks and best regards.
It makes sense as a first level of defense to detect in your entire SonarQube instance the Java/Maven projects which directly reference the vulnerable versions of log4j2.
You can also use the dependency check plugin.