Rule to detect vulnerable use of Log4J library (CVE-2021-44228)?

mcoder · December 10, 2021, 5:53pm

Would it be possible to create a custom Java rule that can properly detect this on SonarQube code scans?

Alexandre_Gigleux · December 15, 2021, 11:51am

Hello @mcoder,

I moved your question out the main Log4J thread so it’s simpler to answer you.

I’ve just posted an answer here with details of what SonarQube can do to help.

Alex

acalero · December 15, 2021, 11:55am

Hi @Alexandre_Gigleux,

What about using the “Track uses of disallowed dependencies”?

You can create a pattern to detect if your project is using the vulnerable dependency in your pom.xml.

I know it is just for Java projects using Maven and I know it may not detect all the transitive dependencies but it may help.

What do you think? Does it make sense?

Thanks and best regards.

Alexandre_Gigleux · December 15, 2021, 12:01pm

Hello @acalero,

It makes sense as a first level of defense to detect in your entire SonarQube instance the Java/Maven projects which directly reference the vulnerable versions of log4j2.

Alex

Janpopan · December 15, 2021, 8:28pm

You can also use the dependency check plugin.

Topic		Replies	Views
Can SonarQube detect code that used the Log4J2 in a way that is vulnerable? SonarQube Server / Community Build security , sast	4	4287	January 11, 2022
Detect vulnerable use of log4j New rules / language support security	1	822	December 15, 2021
Will SonarQube version 6.7.4 detect log4j vulnerability in the source code? SonarQube Server / Community Build	3	1219	January 14, 2022
XML file related Rule creation SonarQube Server / Community Build	2	102	February 26, 2025
SonarCloud and scanning for the Log4J vulnerability SonarQube Cloud	3	1272	March 18, 2025

Rule to detect vulnerable use of Log4J library (CVE-2021-44228)?

Related topics