Skip to main content

Snyk makes it easier to fix Log4Shell with extended free scans

著者:
wordpress-sync/blog-feature-log4j-vulnerability-green

2021年12月21日

0 分で読めます

Due to the recently discovered Log4Shell vulnerability, and to support the tremendous effort being mounted by the community to address it, we are happy to announce that we are increasing the free test limit in Snyk Open Source!

This means that any developer, no matter the company or project, can now use Snyk Open Source to find and fix Log4Shell with double the number of free tests, whether it’s within your IDE, your Git repositories, CI environments, or using the Snyk CLI.

Testing the (free) limits

Over the past ten days, we’ve witnessed firsthand the swift action taken by our users, and the community at large, to mitigate Log4Shell. During last week alone, the number of Java projects imported and scanned by Snyk Open Source was 6X compared to previous weeks. These numbers reflect both the sense of urgency around the vulnerability and the prevalence of the vulnerability in applications.

We’ve also noticed a significant increase in the number of free Snyk Open Source users hitting their monthly free test limits. When this happens, recurring tests are disabled which makes it impossible to retest a project until the next calendar month. With events still unfolding and new details about Log4Shell being revealed on almost a daily basis, we want to remove this potential barrier for those of you currently in the trenches tackling Log4Shell.

What do the new test limits mean?

  • If you’re a maintainer of an open source project, nothing has changed. Snyk’s products are available for free, with unlimited testing.

  • If you’re working on a closed source project, you now have 400 free tests instead of the regular 200. This extension is valid for the next 30 days, after which the regular test limit will be put back in place.

Mitigating Log4Shell with the new allowance

The doubled free test limit provides the breadth and flexibility needed to test and retest applications as seen fit and thus gain complete security coverage. We highly encourage the community to make use of the new free test allowance to address Log4Shell in any of the following ways:

  • Snyk CLI: The Snyk CLI can be used to test applications either manually or as part of your CI pipelines. In addition to testing your Java dependencies for the Log4Shell, the newly released snyk log4shell command extends testing in the Snyk CLI to cover .jar files as well.

  • IDE: You can test your applications for Log4Shell using Snyk’s plugins for IntelliJ IDEA (and other JetBrains IDEs), Visual Studio, Visual Studio Code, and Eclipse.

  • Git: You can test your applications by importing them via SCM integrations for GitHub, Bitbucket, GitLab, and Azure Repos. This not only tests the project upon import but also ensures you are notified about new vulnerabilities and available fixes in the future.

  • CI/CD:To integrate Snyk’s testing into your existing CI/CD pipelines, you can use native integrations for Jenkins, CircleCI, GitHub Actions, Azure Pipelines, or as mentioned above, deploy the Snyk CLI as one of the steps in your pipeline.

To understand a bit more about how to use Snyk to find and fix Log4Shell in your application, please refer to this blog post about finding and fixing Log4Shell in your projects, dependencies, and transitive dependencies.

Need help?

In addition to raising our free test limits, we’ve also been busy creating a wide array of resources that can help you learn more about Log4Shell itself and how to mitigate it — including webinars, blog posts, cheat sheets, videos, and more. Check out this Log4Shell toolkit today.

Snyk Learn — Snyk’s free and interactive developer education tool — includes a new dedicated Log4Shell lesson for helping developers better understand the vulnerability and how to mitigate it.

On top of all that, we will be holding a live hacking session on Tuesday, December 21 on Log4Shell, during which we will dive into some examples of the exploit in action as well as provide some detailed remediation approaches.

Over the past 10 days, it’s been invigorating to see the community’s response to Log4Shell. Immediately understanding the gravity of the situation, development and security teams across the globe have rushed in to tackle the vulnerability head on. We hope that the new test limits in Snyk Open Source will help strengthen these efforts.