log4shell vs trivy

log4shell

Operational information regarding the log4shell vulnerabilities in the Log4j logging library. (by NCSC-NL)

Suggest topics

DISCONTINUED

Suggest alternative

Edit details

trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more (by aquasecurity)

Security security-tools Docker Containers vulnerability-scanners vulnerability-detection Vulnerability Golang Go Kubernetes HacktoberFest Devsecops misconfiguration infrastructure-as-code Iac

Source Code

aquasecurity.github.io

Suggest alternative

Edit details

InfluxDB - Power Real-Time Data Analytics at Scale

Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

www.influxdata.com

featured

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com

featured

log4shell		trivy
	Project
41	Mentions	83
1,876	Stars	21,388
-	Growth	1.9%
9.9	Activity	9.8
almost 2 years ago	Latest Commit	4 days ago
Python	Language	Go
-	License	Apache License 2.0

The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

log4shell

Posts with mentions or reviews of log4shell. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2021-12-17.

Wetsvoorstel om cyberdreigingsinformatie breder te delen naar Tweede Kamer | Netherlands proposes law change to allow it's NCSC to share information more widely - Bill to share cyber threat information more broadly to the House of Representatives
1 project | /r/blueteamsec | 24 Apr 2022

I hope more organizations and governments do this. They had an excellent resource for Log4J. https://github.com/NCSC-NL/log4shell
Are older OSs (specifically Mojave) extremely vulnerable to log4j, since they are no longer being patched?
1 project | /r/MacOS | 9 Jan 2022
Western Digital warns owners of My Cloud hard drives to update immediately
1 project | /r/DataHoarder | 21 Dec 2021

A few
Log4j2 and consumer routers
1 project | /r/HomeNetworking | 19 Dec 2021
Log4j UPDATE: 2.16 has a 7.5 DoS, 2.17 released
1 project | /r/sysadmin | 18 Dec 2021

Nice list - https://github.com/NCSC-NL/log4shell/blob/main/software/README.md
Log4J – A 10 step mitigation plan
1 project | dev.to | 17 Dec 2021

There are various tools, nicely again enumerated by NCSC-NL at their Github repository with which you can detect whether you are vulnerable. See which one you like best given the situation you are in.

4 projects | dev.to | 17 Dec 2021

Check what other software you are running and see if the software is vulnerable according to the list published by the NCSC-NL. CISA.gov has a similar registry.
I'm the closest thing to a system administrator at my company, and I don't know anything... what do I do about log4j, if anything?
1 project | /r/sysadmin | 17 Dec 2021

There are multiple lists of software, the one I use is by the Dutch Cyber Security Center: https://github.com/NCSC-NL/log4shell/tree/main/software Everyday I cross reference on new changes and see if it effects my list. The list can be quite extensive and you might miss the most obvious ones like you FW, switches, SAN or some print software.
Log4J - Have your customer been breached? What have you seen if anything?
4 projects | /r/msp | 17 Dec 2021

NCSC-NL has a researched list of specific vulnerabilities.
GLPI IS NOT affected by the Log4j vulnerability CVE-2021-44228
5 projects | /r/glpi | 17 Dec 2021

trivy

Posts with mentions or reviews of trivy. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-05-01.

Cloud Security and Resilience: DevSecOps Tools and Practices
10 projects | dev.to | 1 May 2024

4. Trivy: https://github.com/aquasecurity/trivy Trivy is a versatile tool that scans for vulnerabilities in your containers, and also checks for vulnerabilities in your application dependencies.
A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons
6 projects | dev.to | 16 Apr 2024

Trivy Owner/Maintainer: Aqua Security Age: First released on GitHub on May 7th, 2019 License: Apache License 2.0 backward-compatible with tfsec
Suas imagens de container não estão seguras!
4 projects | dev.to | 20 Mar 2024
General Docker Troubleshooting, Best Practices & Where to Go From Here
3 projects | dev.to | 19 Jan 2024

Trivy. A Simple and Comprehensive Vulnerability Scanner for Containers.
Distroless images using melange and apko
8 projects | dev.to | 22 Dec 2023

Using Trivy:
Friends - needs help choosing solution for SBOM vulnerability
2 projects | /r/devops | 1 Jun 2023
An Overview of Kubernetes Security Projects at KubeCon Europe 2023
17 projects | dev.to | 22 May 2023

Trivy is a mature and comprehensive open source tool from Aqua Security that supports scanning multiple sources, from file systems to containers and VMs. Trivy also looks beyond vulnerabilities, to scan licenses, secrets, infrastructure as code misconfiguration, and more.
Best vulnerability scanner for DevOps
2 projects | /r/devsecops | 19 May 2023
About Cloudflare Tunnels
3 projects | /r/selfhosted | 1 May 2023

I would suggest to think about the thread model that you are facing so you can have a better mental model of the weak points of your environment. The very very big majority of these attacks will be automated probing for publicly known vulnerabilities or default credentials. That means the maintainers of the software you are running and the channels on which their updates are shipped to you and deployed are very important factors. For software that is not installed from a trusted and well maintained source (e.g. Ubuntus main repository), you want to make extra sure that vulnerabilities are updated. E.g. your deployed docker containers might contain security issues, you can run checks on these with tools like trivy. The same is also true for appliances, in case your router or firewall contains a software vulnerability, how will you be notified and how will the required updates be deployed?
Docker image vulnerabilities scanning trivy vs synk.io
1 project | /r/docker | 30 Apr 2023

What are some alternatives?

When comparing log4shell and trivy you can also consider the following projects:

Metabase - The simplest, fastest way to get business intelligence and analytics to everyone in your company :yum:

snyk - Snyk CLI scans and monitors your projects for security vulnerabilities. [Moved to: https://github.com/snyk/cli]

interactsh - An OOB interaction gathering server and client library

grype - A vulnerability scanner for container images and filesystems

clair - Vulnerability Static Analysis for Containers

glpi-agent - GLPI Agent

checkov - Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

syft - CLI tool and library for generating a Software Bill of Materials from container images and filesystems

SpongeForge - A Forge mod that implements SpongeAPI

falco - Cloud Native Runtime Security

log4shell vs Metabase trivy vs snyk log4shell vs interactsh trivy vs grype log4shell vs grype trivy vs clair log4shell vs glpi-agent trivy vs checkov log4shell vs syft trivy vs syft log4shell vs SpongeForge trivy vs falco

Compare log4shell vs trivy and see what are their differences.

log4shell

trivy

log4shell

trivy

What are some alternatives?