It detects the usage of log4j versions vulnerable to CVE-2021-44228.
$ ./gradlew run --args=/path/to/my.jar
The input can be a jar file, class file, directory, Android aar, Android apk.
How does it work?
The detector looks for a specific constructor that appears in log4j < 2.15.0,
similar to this Yara rule.
ProGuardCORE is used to parse the input, and a combination of class and member
filters are used to look for the specific constructor.
dex2jar is used to convert dex files in Android APKs files to class files.
Shadow packed applications
Shadow packed versions of log4j should be detected, for example if
the log4j package is renamed to
If an application is obfuscated then the detector may not detect the vulnerability,
since it is name based.