The best programming practice for including third-party libraries in your source code is to use the import command. This is the easiest method, and is how most dependency analyzers determine if a vulnerable library exists. But any time you include code without calling it as an external package, traditional dependency analysis may not be enough to find it — including when Java coders use common tricks to resolve conflicting dependencies during the design process.
A new study by jFrog 400 packages on the repository Maven Central were found to use the Log4j code without calling it an external package.About a third of it came from the fat tank
— A jar file containing all external dependencies to make a more efficient product. The rest comes from inserting Log4j code directly into the source code, including shading, which is a workaround used when two or more dependencies call different versions of the same library in a potentially conflicting way.While 400 may not seem like a lot to Maven Central, Google found 17,000 Packages implementing the vulnerable Log4j library, some of the 400 packages discovered by JFrog are widely used.
Asaf Karas, CTO of JFrog Security Research, said: “We are familiar with some packages. Some are commercially supported, some are maintained by the community. Some are very important.”
JFrog scans Maven Central with a deep open source scanner it was released on december 28. Karas recommends that enterprises apply for their own java applications. Maven Central’s packages may indicate how a company codes its own internal and product software.
While the 400 packages contain unlisted Log4j, in about 70% of cases they do contain dependencies that use Log4j, which might light up the scanner (albeit pointing in a different direction).
JFrog had not released the names of the potentially vulnerable packages it found on Maven Central at the time of its disclosure.
“It’s a process where we try to really understand which are the most popular and then disclose that information there first,” Callas said
“But we don’t want to delay the fact that people should be aware of this threat.”
