I want to find all usages of log4j prior to the current version (2.15.0).
I tried using maven's "mvn dependency:tree", used several tools (dependency-check, grype (didn't work for me), syft (didn't work for me), log4j-detector) but they only list the classes which were generated after specifying them in the pom.xml.
But - and this is my concern:
E.g. There is a library which I am using called hibernate-validator (Hibernate Validator Engine). I am sure this engine uses Jboss logging, which in turn uses log4j 2.11.2, but none of my tools above warned me of this. How can I find out, which libraries use log4j?
Or are external libraries not a threat for this exploit?
Please advise.
Hibernate Validator lead here. You don't have it in your dependency tree because it is not used at all by Hibernate Validator nor by JBoss Logging.
Hibernate Validator has a test dependency to Log4j 2 but it's only a test dependency. Thus why you don't see it in your dependency tree, which is accurate.
I'm in the process of releasing new HV versions with an updated test dependency but it is not a problem for your applications, they won't depend on Log4j 2 through Hibernate Validator.
See https://github.com/hibernate/hibernate-validator/blob/main/engine/pom.xml#L119 .
Update: to avoid false positives from security scanners, I have released Hibernate Validator 7.0.2.Final and 6.2.1.Final.