Good news! We have added additional functionality to the Cloudsmith API and CLI to enable you to search for dependencies (such as the ever-dreaded log4j) across packages stored within Cloudsmith repositories.
The syntax is dependency:<name>, so to search for log4j dependencies, you specify dependency:log4j. The functionality is available via the UI, the API and the CLI.
For example, you can search via the CLI using:
The above only tells you which packages have a direct/non-transitive dependency on log4j. However, suppose you're utilising Cloudsmith as a proper Single Source of Truth and store all packages that your applications utilise. In that case, it is possible to detect all uses of log4j (because all software packages will be in one place).
Using the new package dependencies API, you can then confirm the versions of those dependencies. The functionality is also available via the latest Cloudsmith CLI release, 0.31.1 or above, which includes a new dependencies sub-command that can list dependencies for a package.
For example, using the "identifier" for the package from above:
In addition, we have added a feature to block downloads (i.e. prevent installation) for impacted versions of log4j. You can enable the block in any Cloudsmith repository on the settings page.
It looks like:
The above will automatically block log4j-related downloads unless they meet a specific version constraint. The blocking applies to both local (cached) and upstream packages. A package is considered related to log4j if the GroupID is org.apache.logging.log4j and the ArtifactID contains log4j (e.g. log4j-core).
You can find additional information and examples in our related blog post, and if you have any questions, please just reach out and contact us.
On 10th December 2021, a critical severity Remote Code Execution (RCE) exploit disclosure for log4j was published, as CVE-2021-44228, affecting versions below 2.15.0. The vulnerability has been coined as Log4Shell. The log4j framework allows Java developers to log data (incl. user-based) in their applications. Is Cloudsmith impacted? In short: No…
After nearly a year of effort in which we designated 2021 as the “Year of Security,” we’re incredibly proud to announce that we are now ISO27001:2013 certified. The certification is an incredible achievement by the team at Cloudsmith and excellent news for all of our customers. What exactly is ISO27001:2013? ISO27001:2013, also known as ISO27001…
One of the features our customers have requested is the ability to sort packages when querying via the Cloudsmith API. Good news everyone - we can now offer that functionality! What does this mean for me? By default we will sort packages by the uploaded date descending (the most recently uploaded package first), but what if you wanted to view w…
Our more observant Debian users may have noticed that we rolled out support for acquire-by-hash over the past week - you may have also noticed fewer pipeline disruptions as a result! What does this mean for me? If you're someone spinning many plates, you may have encountered some hiccups with your pipeline when updating your repository whilst sim…
Good news! As part of our efforts to further secure access for users in your org, we're introducing the ability to enforce SAML-only Authentication. Plus, a bonus is that SAML is now fully self-service configurable: With SAML-only Authentication configured, all members of your organization will no longer be able to use password-based or social-bas…
Good news! You can now set a custom support email and URL for your organizations. For error messages when installs or setups go wrong or where we need to communicate an issue to your users, we'll now display your own support email and URL. You can configure it in your org profile settings: For example, if your users use the automated bash installs…
By submitting this form, you agree to our privacy policy
