Skip to content

Restriction preventing use of both --report-csv and --report-json #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sds83uk opened this issue Dec 23, 2021 · 8 comments
Closed

Restriction preventing use of both --report-csv and --report-json #210

sds83uk opened this issue Dec 23, 2021 · 8 comments
Assignees
@xeraph
Labels
discussion question or suggestion enhancement New feature or request patch released

Comments

@sds83uk
Copy link

sds83uk commented Dec 23, 2021

Hi,

I drafted the following a few days ago but at that time a problem with my account meant that I was unable to add as a comment to a previous issue.
As this now covers two closed issues (references added) and has a separate request I hope this the an appropriate way to raise this.

Original example (#174, resolved in version 2.4.1)

In version 2.4.0 there is an output which explains what happened here:
Command: log4j2-scan.exe --report-json --report-path out.json c:\
Output (v.2.4.0): Cannot write report file. File already exists: c:\out.json
i.e. the CSV was written first and the JSON file couldn't be created

Example 2 (#203, resolved in version 2.6.1)

I mention this because in version 2.4.0 --report-json --report-dir Reports creates both JSON and CSV (due to unique names):
Command: log4j2-scan.exe --report-json --report-dir Reports C:\

Whereas, because --report-dir still implies --report-csv, version 2.4.1 advises:
Output (v2.4.1): Error: Cannot use both --report-csv and --report-json options. Choose one.

Changing tack slightly... The reason for raising this issue...

Example 3 (this issue)

Whilst testing version 2.4.0 with the following command the output was beautiful, wonderful work!
Command: log4j2-scan.exe --all-drives --scan-log4j1 --scan-logback --scan-zip --report-csv --report-json --no-empty-report >> %COMPUTERNAME%_log4j2_scan_report.txt

Testing again with version 2.4.1, the same error is presented:
Output (v2.4.1): Error: Cannot use both --report-csv and --report-json options. Choose one.

Request

Would it be possible/appropriate to remove this check?

CVE-2021-44228-Scanner/src/main/java/com/logpresso/scanner/Configuration.java

Lines 323 to 325 in 3d82e03

// check conflict between --report-csv and --report-json
if (c.reportCsv && c.reportJson)
throw new IllegalArgumentException("Cannot use both --report-csv and --report-json options. Choose one.");

Because due to the other alterations [in version 2.4.1 and 2.6.1]:

  • --report-json --report-path out.json would work as intended (json output file #174)
  • --report-path would still imply --report-csv if neither report type was specifically requested
  • --report-dir would still imply --report-csv if neither report type was specifically requested

CVE-2021-44228-Scanner/src/main/java/com/logpresso/scanner/Configuration.java

Lines 327 to 332 in 3d82e03

// set --report-csv implicitly
if (c.reportPath != null && (!c.reportCsv && !c.reportJson))
c.reportCsv = true;
if (c.reportDir != null && (!c.reportCsv && !c.reportJson))
c.reportCsv = true;

This would allow us to continue to create both types of reports whilst we determine how we plan to consume the data.

Thank you for your time and consideration.
@xeraph xeraph added the discussion question or suggestion label Dec 23, 2021
@xeraph xeraph self-assigned this Dec 23, 2021
@xeraph
Copy link
Contributor

xeraph commented Dec 23, 2021

@sds83uk Why do you need both csv and json report file which has the same data?

@sds83uk
Copy link
Author

sds83uk commented Dec 23, 2021

Unfortunately we are still very much in the investigation stage.
The CSV format will be more comfortable for some teams to review.
The detailed information (and errors) presented in the JSON file is great for our technical teams.

@xeraph
Copy link
Contributor

xeraph commented Dec 23, 2021
edited
Loading

@sds83uk
Since csv and json shares same --report-path and --report-dir, you should choose one.
(For example, if you specify --report-path, what does it mean? csv path? or json path?)
If some teams prefer CSV format, you can convert json to csv files using Logpresso Mini (another freeware).

Download windows or linux binary from here
https://github.com/logpresso/community

Use this command with uploaded query.txt

logpresso.exe -f query.txt

Then, Logpresso Mini will merge all JSON report files into single CSV file log4j2_scan_all_reports.csv

Query:

 textfile erex="^}$" log4j2_scan_report*.json 
 | parsejson 
 | parsemap field=summary overlay=t | explode files 
 | parsemap field=files overlay=t | explode reports 
 | parsemap field=reports overlay=t
 | fields hostname, path, entry, product, version, cve, status, fixed, detected_at
 | outputcsv log4j2_scan_all_reports.csv hostname, path, entry, product, version, cve, status, fixed, detected_at

@sds83uk
Copy link
Author

sds83uk commented Dec 23, 2021

My apologies, I see it now!
It was late when I wrote my comment and I didn't put it under scrutiny again in the light of day.

Could the snippet I suggested removing be changed to only apply to --report-path (i.e. if the the following parameters are specified):
--report-csv --report-json --report-path?

I understand and would be okay with both types of reports being created in the same folder if the following parameters were used:
--report-csv --report-json
or
--report-csv --report-json --report-dir Reports

If needed, a caller/wrapper script can be modified to move these to alternative locations (post execution).

Having said that, I also recognise that someone else may have a different requirement to store the files in separate folders during execution (rather than running twice) and will certainly look into the tool you have suggested to see what we can do with that.

Thank you for your continued contributions to the community!

@xeraph
Copy link
Contributor

xeraph commented Dec 23, 2021

@sds83uk A bit complicated but it makes sense. I'll fix it.

@xeraph xeraph added enhancement New feature or request patch released labels Dec 23, 2021
@xeraph
Copy link
Contributor

xeraph commented Dec 26, 2021

@sds83uk Fixed in v2.6.2. Would you test it?

@sds83uk
Copy link
Author

sds83uk commented Dec 26, 2021

Thank you! This is now working as requested:

Create named report files

  1. --report-path Test1.csv
    OUTPUT: created CSV (as --report-path "Implies --report-csv.")

  2. --report-path Test2.csv --report-csv
    OUTPUT: created CSV

  3. --report-path Test3.csv --report-csv --report-json
    OUTPUT: Cannot use both --report-csv and --report-json options if --report-path is specified. Choose one.

  4. --report-path Test4.json --report-json
    OUTPUT: created JSON

Note: Above tests fail if file already exists, i.e. "Error: File already exists - ...\Test1.csv"

Create timestamped report files in specified output directory:

File name = log4j2_scan_report_yyyyMMdd_HHmmss

  1. --report-dir OutputDir
    OUTPUT: created CSV (as --report-dir "Implies --report-csv.")

  2. --report-dir OutputDir --report-csv
    OUTPUT: created CSV

  3. --report-dir OutputDir --report-csv --report-json
    OUTPUT: created CSV and JSON

  4. --report-dir OutputDir --report-json
    OUTPUT: created JSON

  5. --report-csv
    OUTPUT: created CSV

  6. --report-json
    OUTPUT: created JSON

@sds83uk sds83uk closed this as completed Dec 26, 2021
@xeraph
Copy link
Contributor

xeraph commented Dec 26, 2021

@sds83uk Thank you for detail test report!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xeraph xeraph

Labels
discussion question or suggestion enhancement New feature or request patch released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xeraph @sds83uk