There is a recent vulnerability in log4j https://nvd.nist.gov/vuln/detail/CVE-2021-44228 which has criticality score of 10
How to check the presence of Log4j vulnerable versions in gradle so that it would list all the dependencies including the transitive dependencies?
Advertisement
Answer
We can use
./gradlew -q dependencies
To list the dependency tree. It will list all dependencies with their respective version. Since this output can be lengthy, we can filter it down with grep
:
./gradelw -q dependencies | grep -i log4j
This will list all log4j
-dependencies with their respective version.