Reading about detecting #log4j vuln on the Java platform, which is a highly complex undertaking. Libraries can be found as an extracted archive, .jar archive, .war archive containing .jar files, .ear archive containing .war and .jar files, all depending on the platform (1/11) Then there is Spring Boot with .jar files containing other .jar files. Long ago you could even have your .jar files in a .zip archive. Guess you can look for these on your file system recursively. With a special class loader Java could load classes from anything... (2/11)