Snyk Blog

Snyk makes it easier to fix Log4Shell with extended free scans

Written by:
Simon Maple
Simon Maple
wordpress-sync/blog-feature-log4j-vulnerability-green

December 21, 2021

0 mins read

Due to the recently discovered Log4Shell vulnerability, and to support the tremendous effort being mounted by the community to address it, we are happy to announce that we are increasing the free test limit in Snyk Open Source!

This means that any developer, no matter the company or project, can now use Snyk Open Source to find and fix Log4Shell with double the number of free tests, whether it’s within your IDE, your Git repositories, CI environments, or using the Snyk CLI.

Testing the (free) limits

Over the past ten days, we’ve witnessed firsthand the swift action taken by our users, and the community at large, to mitigate Log4Shell. During last week alone, the number of Java projects imported and scanned by Snyk Open Source was 6X compared to previous weeks. These numbers reflect both the sense of urgency around the vulnerability and the prevalence of the vulnerability in applications.

We’ve also noticed a significant increase in the number of free Snyk Open Source users hitting their monthly free test limits. When this happens, recurring tests are disabled which makes it impossible to retest a project until the next calendar month. With events still unfolding and new details about Log4Shell being revealed on almost a daily basis, we want to remove this potential barrier for those of you currently in the trenches tackling Log4Shell.

What do the new test limits mean?

  • If you’re a maintainer of an open source project, nothing has changed. Snyk’s products are available for free, with unlimited testing.

  • If you’re working on a closed source project, you now have 400 free tests instead of the regular 200. This extension is valid for the next 30 days, after which the regular test limit will be put back in place.

Mitigating Log4Shell with the new allowance

The doubled free test limit provides the breadth and flexibility needed to test and retest applications as seen fit and thus gain complete security coverage. We highly encourage the community to make use of the new free test allowance to address Log4Shell in any of the following ways:

  • Snyk CLI: The Snyk CLI can be used to test applications either manually or as part of your CI pipelines. In addition to testing your Java dependencies for the Log4Shell, the newly released snyk log4shell command extends testing in the Snyk CLI to cover .jar files as well.

  • IDE: You can test your applications for Log4Shell using Snyk’s plugins for IntelliJ IDEA (and other JetBrains IDEs), Visual Studio, Visual Studio Code, and Eclipse.

  • Git: You can test your applications by importing them via SCM integrations for GitHub, Bitbucket, GitLab, and Azure Repos. This not only tests the project upon import but also ensures you are notified about new vulnerabilities and available fixes in the future.

  • CI/CD:To integrate Snyk’s testing into your existing CI/CD pipelines, you can use native integrations for Jenkins, CircleCI, GitHub Actions, Azure Pipelines, or as mentioned above, deploy the Snyk CLI as one of the steps in your pipeline.

To understand a bit more about how to use Snyk to find and fix Log4Shell in your application, please refer to this blog post about finding and fixing Log4Shell in your projects, dependencies, and transitive dependencies.

Need help?

In addition to raising our free test limits, we’ve also been busy creating a wide array of resources that can help you learn more about Log4Shell itself and how to mitigate it — including webinars, blog posts, cheat sheets, videos, and more. Check out this Log4Shell toolkit today.

Snyk Learn — Snyk’s free and interactive developer education tool — includes a new dedicated Log4Shell lesson for helping developers better understand the vulnerability and how to mitigate it.

On top of all that, we will be holding a live hacking session on Tuesday, December 21 on Log4Shell, during which we will dive into some examples of the exploit in action as well as provide some detailed remediation approaches.

Over the past 10 days, it’s been invigorating to see the community’s response to Log4Shell. Immediately understanding the gravity of the situation, development and security teams across the globe have rushed in to tackle the vulnerability head on. We hope that the new test limits in Snyk Open Source will help strengthen these efforts.

Posted in:Vulnerability Insights, Open Source Security, Application Security
wordpress-sync/blog-feature-log4j-vulnerability-green

How CISOs are Transforming their DevSecOps Strategies

500 devs to 1 security professional is the reality of today. The security pro’s role must transform into an aware, knowledgeable, supportive partner capable of empowering developers to make security decisions.

See the playbook

Start securing AI-generated code

Create your free Snyk account to start securing AI-generated code in minutes. Or book an expert demo to see how Snyk can fit your developer security use cases.

No credit card required.

Start free with GithubStart free with Google

Or Sign up with

SSOBitbucketAzure ADDocker ID

By logging in or signing up, you agree to abide by our policies, including our Terms of Service and Privacy Policy

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

What is Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Developer Security PlatformApplication securitySoftware supply chain securitySecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securitySnyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10VideosCustomer resources

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal informationWebsite Terms of Use

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHubSnyk vs VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon