Fix log4j 2.17.0 detection bug. Updated to v2.3.2

README.md

@@ -3,16 +3,16 @@
 log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-4104 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.
 
 ### Download
-* [log4j2-scan 2.3.1 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.1/logpresso-log4j2-scan-2.3.1-win64.7z)
-* [log4j2-scan 2.3.1 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.1/logpresso-log4j2-scan-2.3.1-win64.zip)
+* [log4j2-scan 2.3.2 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.2/logpresso-log4j2-scan-2.3.2-win64.7z)
+* [log4j2-scan 2.3.2 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.2/logpresso-log4j2-scan-2.3.2-win64.zip)
   * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.  
   * 7zip is available from www.7zip.org, and is open source and free.
-* [log4j2-scan 2.3.1 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.1/logpresso-log4j2-scan-2.3.1-linux.tar.gz)
-* [log4j2-scan 2.3.1 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.1/logpresso-log4j2-scan-2.3.1-linux-aarch64.tar.gz)
+* [log4j2-scan 2.3.2 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.2/logpresso-log4j2-scan-2.3.2-linux.tar.gz)
+* [log4j2-scan 2.3.2 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.2/logpresso-log4j2-scan-2.3.2-linux-aarch64.tar.gz)
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 2.3.1 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.1/logpresso-log4j2-scan-2.3.1-darwin.tar.gz)
-* [log4j2-scan 2.3.1 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.1/logpresso-log4j2-scan-2.3.1.jar)
+* [log4j2-scan 2.3.2 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.2/logpresso-log4j2-scan-2.3.2-darwin.tar.gz)
+* [log4j2-scan 2.3.2 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.2/logpresso-log4j2-scan-2.3.2.jar)
 
 ### Build
 * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
@@ -22,29 +22,27 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress
 
 Usage
 ```
-Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.1 (2021-12-18)
-Usage: log4j2-scan [--fix] target_path1 target_path2
+Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.2 (2021-12-19)
+Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
 
 -f [config_file_path]
         Specify config file path which contains scan target paths.
         Paths should be separated by new line. Prepend # for comment.
---fix
-        Backup original file and remove JndiLookup.class from JAR recursively.
-        With --scan-log4j1 option, it also removes JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class
---force-fix
-        Do not prompt confirmation. Don't use this option unless you know what you are doing.
---debug
-        Print exception stacktrace for debugging.
---trace
-        Print all directories and files while scanning.
---silent
-        Do not print anything until scan is completed.
 --scan-log4j1
         Enables scanning for log4j 1 versions.
 --scan-logback
         Enables scanning for logback CVE-2021-42550.
 --scan-zip
         Scan also .zip extension files. This option may slow down scanning.
+--fix
+        Backup original file and remove JndiLookup.class from JAR recursively.
+        With --scan-log4j1 option, it also removes JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class
+--force-fix
+        Do not prompt confirmation. Don't use this option unless you know what you are doing.
+--all-drives
+        Scan all drives on Windows
+--drives c,d
+        Scan specified drives on Windows. Spaces are not allowed here.
 --no-symlink
         Do not detect symlink as vulnerable file.
 --exclude [path_prefix]
@@ -55,10 +53,6 @@ Usage: log4j2-scan [--fix] target_path1 target_path2
         Exclude specified paths by pattern. You can specify multiple --exclude-pattern [pattern] pairs (non regex)
 --exclude-fs nfs,tmpfs
         Exclude paths by file system type. nfs, tmpfs, devtmpfs, and iso9660 is ignored by default.
---all-drives
-        Scan all drives on Windows
---drives c,d
-        Scan specified drives on Windows. Spaces are not allowed here.
 --report-csv
         Generate log4j2_scan_report_yyyyMMdd_HHmmss.csv in working directory if not specified otherwise via --report-path [path]
 --report-path
@@ -69,6 +63,12 @@ Usage: log4j2-scan [--fix] target_path1 target_path2
         Do not generate empty report.
 --old-exit-code
         Return sum of vulnerable and potentially vulnerable files as exit code.
+--debug
+        Print exception stacktrace for debugging.
+--trace
+        Print all directories and files while scanning.
+--silent
+        Do not print anything until scan is completed.
 --help
         Print this help.
 ```
@@ -83,7 +83,7 @@ On Linux
 ```
 On UNIX (AIX, Solaris, and so on)
 ```
-java -jar logpresso-log4j2-scan-2.3.1.jar [--fix] target_path
+java -jar logpresso-log4j2-scan-2.3.2.jar [--fix] target_path
 ```
 
 If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. Depending the Operating System:

pom.xml

@@ -6,7 +6,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.logpresso</groupId>
 	<artifactId>log4j2-scanner</artifactId>
-	<version>2.3.1</version>
+	<version>2.3.2</version>
 	<packaging>jar</packaging>
 	<name>Logpresso Log4j2 Scanner</name>
 

src/main/java/com/logpresso/scanner/Configuration.java

@@ -41,29 +41,27 @@ public class Configuration {
 	private Set<String> excludeFileSystems = new HashSet<String>();
 
 	public static void pringUsage() {
-		System.out.println("Usage: log4j2-scan [--fix] target_path1 target_path2");
+		System.out.println("Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2");
 		System.out.println("");
 		System.out.println("-f [config_file_path]");
 		System.out.println("\tSpecify config file path which contains scan target paths.\n"
 				+ "\tPaths should be separated by new line. Prepend # for comment.");
-		System.out.println("--fix");
-		System.out.println("\tBackup original file and remove JndiLookup.class from JAR recursively.");
-		System.out.println(
-				"\tWith --scan-log4j1 option, it also removes JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class");
-		System.out.println("--force-fix");
-		System.out.println("\tDo not prompt confirmation. Don't use this option unless you know what you are doing.");
-		System.out.println("--debug");
-		System.out.println("\tPrint exception stacktrace for debugging.");
-		System.out.println("--trace");
-		System.out.println("\tPrint all directories and files while scanning.");
-		System.out.println("--silent");
-		System.out.println("\tDo not print anything until scan is completed.");
 		System.out.println("--scan-log4j1");
 		System.out.println("\tEnables scanning for log4j 1 versions.");
 		System.out.println("--scan-logback");
 		System.out.println("\tEnables scanning for logback CVE-2021-42550.");
 		System.out.println("--scan-zip");
 		System.out.println("\tScan also .zip extension files. This option may slow down scanning.");
+		System.out.println("--fix");
+		System.out.println("\tBackup original file and remove JndiLookup.class from JAR recursively.");
+		System.out.println(
+				"\tWith --scan-log4j1 option, it also removes JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class");
+		System.out.println("--force-fix");
+		System.out.println("\tDo not prompt confirmation. Don't use this option unless you know what you are doing.");
+		System.out.println("--all-drives");
+		System.out.println("\tScan all drives on Windows");
+		System.out.println("--drives c,d");
+		System.out.println("\tScan specified drives on Windows. Spaces are not allowed here.");
 		System.out.println("--no-symlink");
 		System.out.println("\tDo not detect symlink as vulnerable file.");
 		System.out.println("--exclude [path_prefix]");
@@ -76,10 +74,6 @@ public static void pringUsage() {
 				"\tExclude specified paths by pattern. You can specify multiple --exclude-pattern [pattern] pairs (non regex)");
 		System.out.println("--exclude-fs nfs,tmpfs");
 		System.out.println("\tExclude paths by file system type. nfs, tmpfs, devtmpfs, and iso9660 is ignored by default.");
-		System.out.println("--all-drives");
-		System.out.println("\tScan all drives on Windows");
-		System.out.println("--drives c,d");
-		System.out.println("\tScan specified drives on Windows. Spaces are not allowed here.");
 		System.out.println("--report-csv");
 		System.out.println(
 				"\tGenerate log4j2_scan_report_yyyyMMdd_HHmmss.csv in working directory if not specified otherwise via --report-path [path]");
@@ -91,6 +85,12 @@ public static void pringUsage() {
 		System.out.println("\tDo not generate empty report.");
 		System.out.println("--old-exit-code");
 		System.out.println("\tReturn sum of vulnerable and potentially vulnerable files as exit code.");
+		System.out.println("--debug");
+		System.out.println("\tPrint exception stacktrace for debugging.");
+		System.out.println("--trace");
+		System.out.println("\tPrint all directories and files while scanning.");
+		System.out.println("--silent");
+		System.out.println("\tDo not print anything until scan is completed.");
 		System.out.println("--help");
 		System.out.println("\tPrint this help.");
 	}

src/main/java/com/logpresso/scanner/Detector.java

@@ -211,16 +211,15 @@ private DetectResult scanStream(File jarFile, InputStream is, List<String> pathC
 			}
 
 			log4j2Mitigated &= shadedJndiLookupPaths.isEmpty();
-			if(log4j2Version != null) {
-				if(isVulnerableLog4j2(Version.parse(log4j2Version))) {
+			if (log4j2Version != null) {
+				if (isVulnerableLog4j2(Version.parse(log4j2Version))) {
 					printDetectionForLog4j2(jarFile, pathChain, log4j2Version, log4j2Mitigated, false);
 					if (log4j2Mitigated)
 						result.setMitigated();
 					else
 						result.setVulnerable();
 				}
-			}
-			else if (!log4j2Mitigated) {
+			} else if (!log4j2Mitigated) {
 				printDetectionForLog4j2(jarFile, pathChain, POTENTIALLY_VULNERABLE, false, true);
 				result.setPotentiallyVulnerableLog4j2();
 			}

src/main/java/com/logpresso/scanner/Log4j2Scanner.java

@@ -15,7 +15,7 @@
 import com.logpresso.scanner.utils.ZipUtils;
 
 public class Log4j2Scanner {
-	private static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.1 (2021-12-19)";
+	private static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.2 (2021-12-19)";
 
 	private static final boolean isWindows = File.separatorChar == '\\';
 
@@ -46,7 +46,13 @@ public void run(String[] args) throws Exception {
 
 		if (config.isFix() && !config.isForce()) {
 			try {
-				System.out.print("This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? ");
+				if (config.isScanForLog4j1()) {
+					System.out.print("This command will remove JndiLookup.class from log4j2-core binaries and "
+							+ "remove JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class "
+							+ "from log4j1-core binaries. Are you sure [y/N]? ");
+				} else {
+					System.out.print("This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? ");
+				}
 				BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
 				String answer = br.readLine();
 				if (!answer.equalsIgnoreCase("y")) {