Approx read time: 3.5 mins

The clock continues to tick as exploits for the recently discovered Log4j vulnerability are expected to continue well into the coming months, and even years. Companies are rushing to scan applications to locate vulnerable components affected by the Log4j attacks.

To help speed up this process, we are excited to announce Sonatype’s new Log4j Visualizer feature in Nexus Repository (as of version 3.37.2), available to all Nexus OSS and Pro users.

The Log4j Visualizer functions as a spotlight for engineering teams on Maven Log4j component downloads within their organization, and any components impacted by Log4j on internal repositories. This includes packages impacted by CVE-2021-44228, in views separated by repository, username, and IP address.

As stewards of Maven Central, Sonatype teams are working hard to ensure organizations have reliable and fast access to the latest Log4j fixes. Our available resources for code quality, application scanning, and available intel accelerate protection for the software supply chain. The Log4j Visualizer will do the same with the key features highlighted below.

Show Log4j Component Downloads in your Organization

Getting started with the new feature is simple: after logging into Nexus Repository, you will see a prompt to enable the Log4j Visualizer. If you accept, you’ll see three separate datasets, as shown below:

Screen capture of the Log4j Visualizer

Details:

• Table 1: Repository
  Breaks down how many times users downloaded Log4j components that are impacted by CVE-2021-44228 from specific repositories.
• Table 2: Username
  Shows the usernames associated with accounts downloading impacted components.
• Table 3: IP Address
  Displays the IP addresses that have downloaded impacted components.

The interface also allows users to view the status of individuals by typing in any of the above (repository name, username, or IP address).  The feature requires (Read more...)