在 Hacker News 首頁上看到 Google 提供了一套用 Golang 寫的工具,可以掃描 JAR 檔裡面是否有中獎的 Log4j:「log4jscanner」,對應的討論在「Log4jscanner (github.com/google)」這邊。
看起來是內部工具,放出來前先把 vcs history 清掉了:
We unfortunately had to squash the history when open sourcing. The following contributors were instrumental in this project's development: [...]
另外討論裡也有人提到「OWASP Dependency-Check」這個工具也可以掃,這套就更一般性了:
Dependency-check automatically updates itself using the NVD Data Feeds hosted by NIST.