Skip to content

Commit

Permalink
Added product and cve columns to report. v2.3.6
Browse files Browse the repository at this point in the history
  • Loading branch information
xeraph committed Dec 19, 2021
1 parent c042d21 commit 80a49a1
Show file tree
Hide file tree
Showing 6 changed files with 38 additions and 20 deletions.
16 changes: 8 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,16 @@
log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-4104 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.

### Download
* [log4j2-scan 2.3.5 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.5/logpresso-log4j2-scan-2.3.5-win64.7z)
* [log4j2-scan 2.3.5 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.5/logpresso-log4j2-scan-2.3.5-win64.zip)
* [log4j2-scan 2.3.6 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.6/logpresso-log4j2-scan-2.3.6-win64.7z)
* [log4j2-scan 2.3.6 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.6/logpresso-log4j2-scan-2.3.6-win64.zip)
* If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
* If native executable doesn't work, use the JAR instead. 32bit is not supported.
* 7zip is available from www.7zip.org, and is open source and free.
* [log4j2-scan 2.3.5 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.5/logpresso-log4j2-scan-2.3.5-linux.tar.gz)
* [log4j2-scan 2.3.5 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.5/logpresso-log4j2-scan-2.3.5-linux-aarch64.tar.gz)
* [log4j2-scan 2.3.6 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.6/logpresso-log4j2-scan-2.3.6-linux.tar.gz)
* [log4j2-scan 2.3.6 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.6/logpresso-log4j2-scan-2.3.6-linux-aarch64.tar.gz)
* If native executable doesn't work, use the JAR instead. 32bit is not supported.
* [log4j2-scan 2.3.5 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.5/logpresso-log4j2-scan-2.3.5-darwin.tar.gz)
* [log4j2-scan 2.3.5 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.5/logpresso-log4j2-scan-2.3.5.jar)
* [log4j2-scan 2.3.6 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.6/logpresso-log4j2-scan-2.3.6-darwin.tar.gz)
* [log4j2-scan 2.3.6 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.6/logpresso-log4j2-scan-2.3.6.jar)

### Build
* [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
Expand All @@ -22,7 +22,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress

Usage
```
Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.5 (2021-12-20)
Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.6 (2021-12-20)
Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
-f [config_file_path]
Expand Down Expand Up @@ -85,7 +85,7 @@ On Linux
```
On UNIX (AIX, Solaris, and so on)
```
java -jar logpresso-log4j2-scan-2.3.5.jar [--fix] target_path
java -jar logpresso-log4j2-scan-2.3.6.jar [--fix] target_path
```

If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. Depending the Operating System:
Expand Down
2 changes: 1 addition & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.logpresso</groupId>
<artifactId>log4j2-scanner</artifactId>
<version>2.3.5</version>
<version>2.3.6</version>
<packaging>jar</packaging>
<name>Logpresso Log4j2 Scanner</name>

Expand Down
14 changes: 8 additions & 6 deletions src/main/java/com/logpresso/scanner/Detector.java
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@
import com.logpresso.scanner.utils.ZipUtils;

public class Detector {
private static final String POTENTIALLY_VULNERABLE = "N/A - potentially vulnerable";
private static final String POTENTIALLY_VULNERABLE = "N/A";

private static final String JNDI_LOOKUP_CLASS_PATH = "org/apache/logging/log4j/core/lookup/JndiLookup.class";
private static final String JNDI_LOOKUP_CLASS_SHADE_PATH = "/log4j/core/lookup/JndiLookup.class";
private static final String LOG4J_CORE_POM_PROPS = "META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties";
Expand Down Expand Up @@ -370,7 +371,7 @@ else if (version.startsWith("2.16.") || version.equals("2.12.2"))
msg += " (mitigated)";

System.out.println(msg);
addReport(jarFile, pathChain, version, mitigated, potential);
addReport(jarFile, pathChain, "Log4j 2", version, cve, mitigated, potential);
}

private void printDetectionForLog4j1(File jarFile, List<String> pathChain, String version, boolean mitigated) {
Expand All @@ -384,7 +385,7 @@ private void printDetectionForLog4j1(File jarFile, List<String> pathChain, Strin

System.out.println(msg);

addReport(jarFile, pathChain, version, false, true);
addReport(jarFile, pathChain, "Log4j 1", version, "CVE-2021-4104", false, true);
}

private void printDetectionForLogback(File jarFile, List<String> pathChain, String version, boolean mitigated) {
Expand All @@ -398,10 +399,11 @@ private void printDetectionForLogback(File jarFile, List<String> pathChain, Stri

System.out.println(msg);

addReport(jarFile, pathChain, version, false, true);
addReport(jarFile, pathChain, "Logback", version, "CVE-2021-42550", false, true);
}

private void addReport(File jarFile, List<String> pathChain, String version, boolean mitigated, boolean potential) {
private void addReport(File jarFile, List<String> pathChain, String product, String version, String cve, boolean mitigated,
boolean potential) {
List<ReportEntry> entries = fileReports.get(jarFile);
if (entries == null) {
entries = new ArrayList<ReportEntry>();
Expand All @@ -414,7 +416,7 @@ private void addReport(File jarFile, List<String> pathChain, String version, boo
else if (potential)
status = Status.POTENTIALLY_VULNERABLE;

ReportEntry entry = new ReportEntry(jarFile, StringUtils.toString(pathChain), version, status);
ReportEntry entry = new ReportEntry(jarFile, StringUtils.toString(pathChain), product, version, cve, status);
entries.add(entry);
}
}
2 changes: 1 addition & 1 deletion src/main/java/com/logpresso/scanner/Log4j2Scanner.java
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
import com.logpresso.scanner.utils.ZipUtils;

public class Log4j2Scanner {
private static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.5 (2021-12-20)";
private static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.6 (2021-12-20)";

private static final boolean isWindows = File.separatorChar == '\\';

Expand Down
22 changes: 19 additions & 3 deletions src/main/java/com/logpresso/scanner/ReportEntry.java
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,19 @@
public class ReportEntry {
private File path;
private String entry;
private String product;
private String version;
private String cve;
private Status status;
private boolean fixed;
private Date reportTime = new Date();

public ReportEntry(File path, String entry, String version, Status status) {
public ReportEntry(File path, String entry, String product, String version, String cve, Status status) {
this.path = path;
this.entry = entry;
this.product = product;
this.version = version;
this.cve = cve;
this.status = status;
}

Expand All @@ -27,10 +31,22 @@ public String getEntry() {
return entry;
}

public String getProduct() {
return product;
}

public void setProduct(String product) {
this.product = product;
}

public String getVersion() {
return version;
}

public String getCve() {
return cve;
}

public Status getStatus() {
return status;
}
Expand All @@ -49,7 +65,7 @@ public Date getReportTime() {

public String getCsvLine() {
SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
return String.format("\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"%n", path.getAbsolutePath(), entry, version, status,
fixed ? "FIXED" : "", df.format(reportTime));
return String.format("\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"%n", path.getAbsolutePath(), entry, product,
version, cve, status, fixed ? "FIXED" : "", df.format(reportTime));
}
}
2 changes: 1 addition & 1 deletion src/main/java/com/logpresso/scanner/ReportGenerator.java
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ private static File generateReportFileName(Configuration config) {

private static void writeCsvReport(Configuration config, Map<File, List<ReportEntry>> fileReports, FileOutputStream csvStream)
throws IOException, UnsupportedEncodingException {
String header = String.format("Hostname,Path,Entry,Version,Status,Fixed,Detected at%n");
String header = String.format("Hostname,Path,Entry,Product,Version,CVE,Status,Fixed,Detected at%n");
csvStream.write(header.getBytes("utf-8"));

String hostname = getHostname(config.isDebug());
Expand Down

0 comments on commit 80a49a1

Please sign in to comment.