This article describes that the FortiDevSec detects Log4j2 vulnerabilities and other publicly disclosed vulnerabilities in web application source code and packages through its Software Composition Analysis (SCA) scans, earlier in the development lifecycle of the application on the CI/CD pipeline.
This article applies to FortiDevSec Software Composition Analysis (SCA) scanner that attempts to detect publicly disclosed vulnerabilities contained within project dependencies.
It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency.
If found, it will generate a report linking to the associated CWE and CVE details.
1) Add the FortiDevSec application (for instance: Log4J-Demoapp) and perform a scan on the referred source code repository, to update vulnerability findings in the SCA scan to the added FortiDevSec application, as per the steps mentioned in the user guide available at http://docs.fortinet.com/document/fortidevsec/22.2.0/user-guide/193200/scanning-an-application.
2) Once the scan is performed vulnerability findings will be updated to the FortiDevSec application (Log4J-Demoapp) under Software Composition Analysis (SCA) scanner.
3) Enter into the Application page and select the SCA scans.
4) Once the SCA scans the vulnerabilities link is selected, it will take further to the vulnerability details page.
CVE details for the respective vulnerabilities will be displayed under the Category filter with its count.
5) Again, after selecting any of the vulnerability findings on the right pane, it gives further details on the vulnerability like Description/Issue, Severity, Vulnerable library file, CWE and OWASP Top 10.
For more information about this attack and vulnerability, see the FortiGuard Outbreak Alert:
Reference source code repository used for Log4j vulnerability detection: https://github.com/dileepdkumar/log4j-demoapp.git