Git Product home page Git Product logo

log4jscanner's Introduction

log4jscanner

Go Reference

A log4j vulnerability filesystem scanner and Go package for analyzing JAR files.

Installing

Pre-compiled binaries are available as release assets.

To install from source with an existing Go v1.17+ installation, either use go install:

go install github.com/google/log4jscanner@latest

Or build from the repo directly:

git clone https://github.com/google/log4jscanner.git
cd log4jscanner
go build -o log4jscanner

Command line tool

This project includes a scanner that walks directory, printing any detected JARs to stdout.

$ log4jscanner ./jar/testdata
./jar/testdata/bad_jar_in_jar.jar
./jar/testdata/log4j-core-2.1.jar
./jar/testdata/log4j-core-2.12.1.jar
./jar/testdata/log4j-core-2.14.0.jar
./jar/testdata/log4j-core-2.15.0.jar
./jar/testdata/vuln-class.jar

Optionally, the --rewrite flag can actively remove the vulnerable class from detected JARs in-place.

$ zipinfo /tmp/vuln-class.jar | grep Jndi
-rw-r--r--  3.0 unx     2937 bx defN 20-Nov-06 14:03 lookup/JndiLookup.class
-rw-r--r--  3.0 unx     5029 bx defN 20-Nov-06 14:03 net/JndiManager.class
-rw-r--r--  3.0 unx      249 bx defN 20-Nov-06 14:03 net/JndiManager$1.class
-rw-r--r--  3.0 unx     1939 bx defN 20-Nov-06 14:03 net/JndiManager$JndiManagerFactory.class
$ log4jscanner --rewrite /tmp
/tmp/vuln-class.jar
$ zipinfo /tmp/vuln-class.jar | grep Jndi
-rw-r--r--  3.0 unx     5029 bx defN 20-Nov-06 14:03 net/JndiManager.class
-rw-r--r--  3.0 unx      249 bx defN 20-Nov-06 14:03 net/JndiManager$1.class
-rw-r--r--  3.0 unx     1939 bx defN 20-Nov-06 14:03 net/JndiManager$JndiManagerFactory.class

On MacOS, you can scan the entire data directory with:

$ sudo log4jscanner /System/Volumes/Data

The scanner can also skip directories by passing glob patterns. On Linux, you may choose to scan the entire root filesystem, but skip site-specific paths (e.g. the /data/* directory). By default log4jscanner will not scan magic filesystems, such as /proc and /sys.

$ sudo log4jscanner --skip '/data/*' /

For heavy customization, such as reporting to external endpoints, much of the tool's logic is exposed through the jar.Walker API.

Package

Parsing logic is available through the jar package, and can be used to scan assets stored in other code repositories. Because JARs use the ZIP format, this package operates on archive/zip.Reader.

import (
	"archive/zip"
	// ...

	"github.com/google/log4jscanner/jar"
)

func main() {
	rc, err := zip.OpenReader(pathToJARFile)
	if err != nil {
		if errors.Is(err, zip.ErrFormat) {
			// File isn't a ZIP file.
			return
		}
		log.Fatalf("opening class: %v", err)
	}
	defer rc.Close()

	if !jar.IsJAR(&rc.Reader) {
		// ZIP file isn't a JAR file.
		return
	}

	result, err := jar.Parse(&rc.Reader)
	if err != nil {
		log.Fatalf("parsing zip file: %v", err)
	}
	if result.Vulnerable {
		fmt.Println("File is vulnerable")
	}
}

See the examples/ directory for full programs.

False positives

False positives have been observed for the scanner. Use caution when rewriting JARs automatically or taking other mitigations based on scan results.

If you do hit a false positive, please open an issue.

Note: This scanner purposefully flags the patched versions of log4j for Java 6 and Java 7 as vulnerable.

Contributors

We unfortunately had to squash the history when open sourcing. The following contributors were instrumental in this project's development:

log4jscanner's People

Contributors

aktau avatar bunseokbot avatar ddworken avatar dominikschulz avatar ericchiang avatar ewpratten avatar ianlancetaylor avatar karchx avatar mknyszek avatar nikaiw avatar singlethink avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

log4jscanner's Issues

Error scanning - negative offset

Getting the error below when scanned on Cloudera cluster edge node on RedHat 7 Linux VM.

One of the zip file it scanned has name like .¶i84ianid.xetntwmu¶.com-a-00000583-c-00134550__0_2021-01-17_02-00-02.tgz. Not sure special character in the file name caused the error.

2022/01/06 19:45:31 log4jscanner.go:120: Error: scanning /var/lib/smartsense/hst-agent/data/tmp//.¶i84ianid.x
etntwmu¶.com-a-00000583-c-00134550_0_2021-01-17_02-00-02/services/HBASE/components/Client/DEFAULT/conf/hbase-site.jar: opennig file
as a ZIP archive: readat //var/lib/smartsense/hst-agent/data/tmp//.¶i84ianid.xetntwmu¶.com-a-00000583-c-0013
4550
_0_2021-01-17_02-00-02/services/HBASE/components/Client/DEFAULT/conf/hbase-site.jar: negative offset

"cannot find package" when building or installing through go install command

When I try to build with go build -o log4jscanner, I always get this:

log4jscanner.go:26:2: cannot find package "github.com/google/log4jscanner/jar" in any of:
        /usr/lib/go-1.10/src/github.com/google/log4jscanner/jar (from $GOROOT)
        /home/fp/go/src/github.com/google/log4jscanner/jar (from $GOPATH)
log4jscanner_linux.go:22:2: cannot find package "golang.org/x/sys/unix" in any of:
        /usr/lib/go-1.10/src/golang.org/x/sys/unix (from $GOROOT)
        /home/fp/go/src/golang.org/x/sys/unix (from $GOPATH)
log4jscanner.go:21:2: cannot find package "io/fs" in any of:
        /usr/lib/go-1.10/src/io/fs (from $GOROOT)
        /home/fp/go/src/io/fs (from $GOPATH)

but if I try to install through go install github.com/google/log4jscanner@latest

can't load package: package github.com/google/log4jscanner@latest: cannot find package "github.com/google/log4jscanner@latest" in any of:
        /usr/lib/go-1.10/src/github.com/google/log4jscanner@latest (from $GOROOT)
        /home/fp/go/src/github.com/google/log4jscanner@latest (from $GOPATH)

I'm using elementary OS 5.1.7 (based on Ubuntu 18.04.6 LTS), and my go installation is basically only those packages:

golang-go/bionic,now 2:1.10~4ubuntu1 amd64 [installed]
golang-1.10-go/bionic-security,bionic-updates,now 1.10.4-2ubuntu1~18.04.2 amd64 [installed,automatic]
golang-1.10-race-detector-runtime/bionic,now 0.0+svn285455-0ubuntu1 amd64 [installed,automatic]
golang-1.10-src/bionic-security,bionic-updates,now 1.10.4-2ubuntu1~18.04.2 amd64 [installed,automatic]
golang-docker-credential-helpers/bionic-updates,now 0.5.0-2ubuntu0.1 amd64 [installed,automatic]
golang-race-detector-runtime/bionic,now 2:1.10~4ubuntu1 amd64 [installed,automatic]
golang-src/bionic,now 2:1.10~4ubuntu1 amd64 [installed,automatic]

False positive with current detection method

The apache foundation continue to maintains log4j version specifically compatible with JVM7 and JVM6.

Thus: - version 2.12.2 (Java7) and version 2.3.1 (Java6) came out with patch like 2.16.0.

Unfortunately current detection stategy detect those version as vulnerable.

It is all the more unfortunate since the little brittle of checking the presence of "isJndiEnabled" seems a sufficient method for the moment.

As an example running the following command on a directory with all the existing log4j 2 branche will show all the patched version :

for i in $(ls -1 *.jar);do;if unzip -p $i org/apache/logging/log4j/core/net/JndiManager.class|grep -q isJndiEnabled;then echo $i;fi;done 2>/dev/null
log4j-core-2.12.2.jar
log4j-core-2.12.3.jar
log4j-core-2.12.4.jar
log4j-core-2.16.0.jar
log4j-core-2.17.0.jar
log4j-core-2.17.1.jar
log4j-core-2.3.1.jar
log4j-core-2.3.2.jar

Running the log4scanner on the same directory with debug print()

[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.1.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.10.0.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.11.0.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.11.1.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.11.2.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.12.0.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.12.1.jar
[216Pattern] [216Pattern.*YARARulePattern] [YARARulePattern.*216Pattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.12.2.jar
[216Pattern] [216Pattern.*YARARulePattern] [YARARulePattern.*216Pattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.12.3.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.13.0.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.13.1.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.13.2.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.13.3.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.14.0.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.14.1.jar
[Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.15.0.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.2.jar
[216Pattern.*YARARulePattern] [YARARulePattern.*216Pattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.3.1.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.3.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.4.1.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.4.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.5.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.6.1.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.6.2.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.6.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.7.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.8.1.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.8.2.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.8.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.9.0.jar
[YARARulePattern] [Vulnerable]: /home/user/lab/log4j-all/log4j-core-2.9.1.jar

We can see that 2.12.2, 2.12.3, 2.3.1 are matching the 216Pattern + Yara rule pattern and are wrongly detected as vulnerable

log4jscanner should be able to scan a single file

Currently it errors

$ ./log4jscanner jar/testdata/vuln-class.jar
2021/12/28 18:43:08 log4jscanner.go:100: Error: scanning jar/testdata/vuln-class.jar: stat jar/testdata/vuln-class.jar/.: not a directory

Scan does not catch log4j log4j-1.2.12.jar

The log4j scanner does not seem to catch log4j-1.2.12.jar ( which is obviously vulnerable )

There is this other scanner that i used, was able to accurately mark this version of log4j jar as vulnerable
Scanner Used: https://github.com/hillu/local-log4j-vuln-scanner/releases/tag/v0.13

./local-log4j-vuln-scanner.macosx --quiet /Users/hillu-log4j-scanner-test/
Checking for vulnerabilities: CVE-2019-17571, CVE-2021-44228, CVE-2021-45105
indicator for vulnerable component found in /Users/hillu-log4j-scanner-test/log4j-1.2.12.jar (org/apache/log4j/net/SocketNode.class): SocketNode.class log4j 1.2.12 CVE-2019-17571

Would it be possible to fix the scanner to catch this log4j/ any version that is less than 2.17.0 ?

release assets archives contain potentially dangerous "." folder

How-to-repeat

make some folder FOLDER that belongs to USER:GROUP, assign 777 permissions to FOLDER, then

sudo -s
cd FOLDER
wget https://github.com/google/log4jscanner/releases/download/v0.2.0/log4jscanner-v0.2.0-linux-amd64.tar.gz
tar xfz log4jscanner-v0.2.0-linux-amd64.tar.gz

check new ownership and permissions of FOLDER, it's drwx------ 3 root root, because

tar -ztvf log4jscanner-v0.2.0-linux-amd64.tar.gz
drwx------ root/root         0 2022-01-05 23:14 ./
drwxr-xr-x root/root         0 2022-01-05 23:14 ./log4jscanner/
-rwxr-xr-x root/root   2637215 2022-01-05 23:14 ./log4jscanner/log4jscanner

I think that ./ shouldn't be a part of release assets archive, because as a result you might set incorrect permissions on your folder (think of /tmp without full access)

Thanks

Replace io.ReadAll usage with pre-allocated buffers of appropriate size

There is a potential performance/memory improvement when reading the contents of a nested jar by replacing io.ReadAll:

Internally, io.ReadAll will allocate a byte slice (initially 512 bytes) and then expand the size of the buffer as needed when each (io.Reader).Read call is executed. In practice this means a slice will be allocated and resized multiple times when reading most jar files.

Because the size of the file is already known the buffer could be allocated initially at the exact size required. This is essentially what os/io.ReadFile does internally and the implementation could be copied almost exactly into a helper method.

Dependency Error While Building

I'm trying to install the Log4JScanner. But when I try to build either by (go get / go build) getting error in the dependency "io/fs".

PFB the screenshot

issue

Rewrite should back up the original jar(s) by default

Tools that offer to fix things without backing up the originals can create a problem if the process dies unexpectedly. The original jar(s) should be saved by default, perhaps with a .jar.save suffix.

There could be an option to suppress the backup, for the brave, the foolish, and for dev/test.

sudo: log4jscanner: command not found

With go version go1.17.5 darwin/amd64 on Mac OS.
I did this command : go install github.com/google/log4jscanner@latest
But when i type sudo log4jscanner /System/Volumes/Data it keeps saying sudo: log4jscanner: command not found
First time using go, maybe there is an extra step that i am missing ?

readdir META-INF/versions/9: not implemented

$ ./log4jscanner $work
/work/cadenza/play28-template/null/Coursier/cache/v1/https/repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar
2021/12/29 14:41:53 log4jscanner.go:119: Error: scanning /work/cadenza/play28-template/null/Coursier/cache/v1/https/repo1.maven.org/maven2/org/seleniumhq/selenium/selenium-api/3.141.59/selenium-api-3.141.59.jar: scanning jar: failed to check JAR: readdir META-INF/versions/9: not implemented
2021/12/29 14:41:54 log4jscanner.go:119: Error: scanning /work/cadenza/play28-template/null/Coursier/cache/v1/https/repo1.maven.org/maven2/org/seleniumhq/selenium/selenium-remote-driver/3.141.59/selenium-remote-driver-3.141.59.jar: scanning jar: failed to check JAR: readdir META-INF/versions/9: not implemented
panic: runtime error: index out of range [-1]

goroutine 1 [running]:
archive/zip.split(...)
        /usr/lib/go-1.17/src/archive/zip/reader.go:800
archive/zip.fileEntryLess({0x59bb38, 0x11}, {0xc00001fb01, 0xc0005149e8})
        /usr/lib/go-1.17/src/archive/zip/reader.go:773 +0x206
archive/zip.(*Reader).initFileList.func1.1(0xc0005149e8, 0xc000519590)
        /usr/lib/go-1.17/src/archive/zip/reader.go:768 +0x4f
sort.doPivot_func({0xc0005149e8, 0xc000519590}, 0x0, 0x12)
        /usr/lib/go-1.17/src/sort/zfuncversion.go:83 +0x14c
sort.quickSort_func({0xc0005149e8, 0xc000519590}, 0xc00010e9c0, 0x0, 0xc000514a28)
        /usr/lib/go-1.17/src/sort/zfuncversion.go:143 +0x85
sort.Slice({0x4c9720, 0xc00010e9c0}, 0x20)
        /usr/lib/go-1.17/src/sort/slice.go:20 +0x9f
archive/zip.(*Reader).initFileList.func1()
        /usr/lib/go-1.17/src/archive/zip/reader.go:768 +0x42a
sync.(*Once).doSlow(0x40ca07, 0x508d60)
        /usr/lib/go-1.17/src/sync/once.go:68 +0xd2
sync.(*Once).Do(...)
        /usr/lib/go-1.17/src/sync/once.go:59
archive/zip.(*Reader).initFileList(0x508ce0)
        /usr/lib/go-1.17/src/archive/zip/reader.go:738 +0x45
archive/zip.(*Reader).Open(0x4cfe00, {0x4e3665, 0xc0002783e0})
        /usr/lib/go-1.17/src/archive/zip/reader.go:783 +0x2c
io/fs.Stat({0x508da0, 0xc0002783e0}, {0x4e3665, 0x1})
        /usr/lib/go-1.17/src/io/fs/stat.go:25 +0x9c
io/fs.WalkDir({0x508da0, 0xc0002783e0}, {0x4e3665, 0x1}, 0xc000514e38)
        /usr/lib/go-1.17/src/io/fs/walk.go:108 +0x3c
github.com/google/log4jscanner/jar.(*checker).checkJAR(0xc000519560, {0x508da0, 0xc0002783e0}, 0x0, 0xc000514ee8)
        /work/log4jscanner/jar/jar.go:126 +0xce
github.com/google/log4jscanner/jar.Parse({0x508c80, 0xc000230070})
        /work/log4jscanner/jar/jar.go:60 +0x9d
github.com/google/log4jscanner/jar.(*walker).visit(0xc000515e10, {0xc0005bd810, 0xc0005bd760}, {0x50aa08, 0xc0000b7cc0})
        /work/log4jscanner/jar/walker.go:157 +0x46e
github.com/google/log4jscanner/jar.(*Walker).Walk.func1({0xc0005bd810, 0xa2}, {0x50aa08, 0xc0000b7cc0}, {0x0, 0x0})
        /work/log4jscanner/jar/walker.go:80 +0x8d
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc0005bd810, 0xa2}, {0x50aa08, 0xc0000b7cc0}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:66 +0x83
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc000026630, 0x86}, {0x50aa08, 0xc0000b7ac0}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc000028380, 0x80}, {0x50aa08, 0xc0000b7700}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc000028280, 0x76}, {0x50aa08, 0xc000274640}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc0002bc0e0, 0x6e}, {0x50aa08, 0xc0002b0740}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc0002bc310, 0x6a}, {0x50aa08, 0xc0002b0680}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc0002bc070, 0x63}, {0x50aa08, 0xc00031a600}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc00031ccc0, 0x53}, {0x50aa08, 0xc00031a5c0}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc00031f2c0, 0x4d}, {0x50aa08, 0xc00031a580}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc00031f220, 0x4a}, {0x50aa08, 0xc00031a540}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc00031f0e0, 0x44}, {0x50aa08, 0xc00031a500}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc00001f7c0, 0x3b}, {0x50aa08, 0xc0002754c0}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc000657a40, 0x36}, {0x50aa08, 0xc0002854c0}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc0000b01b0, 0x26}, {0x50aa08, 0xc00002d000}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc0004c4258, 0x17}, {0x50aa08, 0xc0000b6b00}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0xc00040e220, 0xb}, {0x50aa08, 0xc0000b6380}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.walkDir({0x508fa0, 0xc00009e480}, {0x4e3665, 0x1}, {0x50a9d0, 0xc00009e490}, 0xc000515e00)
        /usr/lib/go-1.17/src/io/fs/walk.go:85 +0x27f
io/fs.WalkDir({0x508fa0, 0xc00009e480}, {0x4e3665, 0x1}, 0xc00009ae00)
        /usr/lib/go-1.17/src/io/fs/walk.go:112 +0xde
github.com/google/log4jscanner/jar.(*Walker).Walk(0xc0000a02a0, {0x7ffdda5c1f73, 0xb})
        /work/log4jscanner/jar/walker.go:72 +0xba
main.main()
        /work/log4jscanner/log4jscanner.go:135 +0x61e

False negative for old libraries version

Current detection strategy will ignore jar which do not contain jndimanager. Because of this it is missing the following vulnerables libraries:

log4j-core-2.0-beta9.jar
log4j-core-2.0-rc1.jar
log4j-core-2.0-rc2.jar
log4j-core-2.0.1.jar
log4j-core-2.0.2.jar
log4j-core-2.0.jar

Edit: Hm seeing #45 I understand this is also accepted behavior for now.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.