Syft is also able to discern which version of Log4j a Java application contains. The Log4j JAR can be directly included in our project, or it can be hidden away in one of the dependencies we include.

Why you may already be at risk, how to detect and mitigate the Log4j vulnerabilities now, and how to improve your code security in the future.

There are 17,000 unpatched Log4j packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from Log4Shell exploits.