Add a post on the state of the log4j CVE in the Scala ecosystem.

[sjrd]

Also cc @romanowski , @tgodzik , @lrytz

Also if there are library maintainers who would like to share the status of their libraries, feel free to say so.

[vincenzobaz]

Extremely clear and precise. I would add a conclusion to reassure and call to action

[sjrd]

I would add a conclusion to reassure and call to action

Do you have an example/draft of what you have in mind?

[lrytz]

I saw this floating around on twitter today: https://github.com/stripe/log4j-remediation-tools

But neither tried it nor looked at it in any depth.

[vincenzobaz]

Do you have an example/draft of what you have in mind?

Something along the lines of:

Conclusion

The log4j vulnerabilities shook our community and reminded us how dependent we all are on open source software.
We are grateful to the maintainers and contributors of Scala open source libraries who reacted quickly to protect their users and to the people behind the tools that enabled such a quick response.

Please do not hesitate to update this post with libraries and tools vulnerable to the CVEs and to propose tools to help address them.

[sjrd]

Thanks. I added your suggestions.

[romanowski]

LGTM.

I only wonder if we can also include a small snippet with an sbt task (or piece of code to run in sbt console) to filter fullClasspath based on groupId, name and version attributed from Attributed matching affected log4j versions.

[sjrd]

I only wonder if we can also include a small snippet with an sbt task (or piece of code to run in sbt console) to filter fullClasspath based on groupId, name and version attributed from Attributed matching affected log4j versions.

My intuition would be to use grep for that. Do you have something smarter in mind?

[eed3si9n]

Suggested change

	The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors. For further technical guidance, see [Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation](https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/) for example.

[SethTisue]

👍

[SethTisue]

s/written in sbt/built with sbt/

[SethTisue]

s/identify the classpath/determine the classpath/

[SethTisue]

How old, exactly? ("version x.y or earlier")

[eed3si9n]

Suggested change

	With older versions of sbt, the command looks like
	Prior to sbt 1.1.0, the command looks like

[eed3si9n]

Suggested change

	| Artifact or tool name | Fixed in version |
	|-----------------------|------------------|
	| sbt | 1.5.7 |
	| Artifact or tool name | Affected versions | Fixed in version |
	|----------------------|------------------|------------------|
	| sbt | 1.x < 1.5.7 | 1.5.7 |
	Log4j is not enabled by default since sbt 1.4.0, but all users are recommended to upgrade to the latest fixed version. Any organization using sbt as part of CI/CD (continuous integration and delivery), automated publishing, and projects that expose TCP/IP entry point during testing may be most vulnerable to an exploit.

[eed3si9n]

Should we recommend externalClasspath instead? For a large project, this would cut down some noise coming from internal (other subprojects) classpath.

[sjrd]

I added a sentence to suggest externalClasspath in some cases for large builds. Let me know if it looks accurate to you.

[eed3si9n]

💯

[eed3si9n]

Thanks for writing this up!

[sjrd]

Updated with your suggestions.

[sjrd]

Thanks for the reviews. I'll merge it now, but further comments and updates are of course very welcome.

[som-snytt]

non-comprehensive