Can not exclude specific files (only paths/directories is working)

[thl-cmk]

Hi,

I need to exclude specific files (not paths/directories) from the scan. So far I have tryed the --exclude and --exclude-config options, but no success.

PS C:\> & .\log4j2-scan --exclude "C:\Program Files (x86)\checkmk\service\install\python-3.8.zip" --scan-logback --scan-log4j1 --scan-zip --silent c:\
Logpresso CVE-2021-44228 Vulnerability Scanner 2.6.5 (2021-12-29)
Scanning directory: c:\ (without C:\PROGRAM FILES (X86)\CHECKMK\SERVICE\INSTALL\PYTHON-3.8.ZIP)
Skipping broken jar file c:\Program Files (x86)\checkmk\service\install\python-3.8.zip ('zip END header not found')

and with the --exclude-config option

PS C:\> & .\log4j2-scan --scan-logback --scan-log4j1 --scan-zip --silent --exclude-config .\exclude.cfg c:\
Logpresso CVE-2021-44228 Vulnerability Scanner 2.6.5 (2021-12-29)
Scanning directory: c:\ (without C:\PROGRAM FILES (X86)\CHECKMK\SERVICE\INSTALL\PYTHON-3.8.ZIP)
Skipping broken jar file c:\Program Files (x86)\checkmk\service\install\python-3.8.zip ('zip END header not found')

In both cases the scanner showes the file as excluded but still tryes to scan it.

[xeraph]

@thl-cmk You are right. Current version only excludes directories for maximum scan speed. If scanner tries to exclude also files, it should match all files (millions of..) and performance will be severely degraded. If you want to scan specific files, compose log4j2-scan with find command.

[thl-cmk]

I see.

If you want to scan specific files
I want exacly the oposite, scann all files except a few...

[xeraph]

Maybe another option should be added for that.. Exact full path match is relatively cheap (can use hash code), but current option uses prefix match for directory matching.. (comparison count = exclude pattern count x file count)

[thl-cmk]

Exact full path match is relatively cheap

would be great to have this, so I could exclude known errors (broken zip for any reason for example)

[mrl-siemens]

This discussion confirms that --exclude-pattern is completely non-functional for files and will continue to be. Please update the help output to clarify that the pattern only applies to directory names, not file names.

[xeraph]

@mrl-siemens Send me Pull Request. I think it already states directory like this:

--exclude [path_prefix]
        Full paths of ***directories*** whose absolute path starts with the specified value will be excluded.
        Does not support relative paths. You can specify multiple --exclude [path_prefix] pairs

--exclude-pattern [pattern]
        Exclude specified paths of ***directories*** by pattern. Supports fragments.
        You can specify multiple --exclude-pattern [pattern] pairs (non regex)

[mrl-siemens]

Greetings, Similar language for the --exclude-filter option would be great. Sorry, I have no experience with GitHub. What is a PR? Thanks, Mark From: Yang, BongYeol (xeraph) ***@***.***> Sent: Thursday, December 30, 2021 11:20 AM To: logpresso/CVE-2021-44228-Scanner ***@***.***> Cc: Ludwig, Mark (DI SW LCS APPS TC-ENT) ***@***.***>; Mention ***@***.***> Subject: Re: [logpresso/CVE-2021-44228-Scanner] Can not exclude specific files (only paths/directories is working) (Issue #223) @mrl-siemens<https://github.com/mrl-siemens> Send me PR. I think it already states directory like this:

…

--exclude [path_prefix] Full paths of ***directories*** whose absolute path starts with the specified value will be excluded. Does not support relative paths. You can specify multiple --exclude [path_prefix] pairs — Reply to this email directly, view it on GitHub<#223 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXDFF4YNYVSYSBAOQYX6TR3UTSIFJANCNFSM5K7LMAGA>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[xeraph]

@thl-cmk @mrl-siemens
Would you test v2.7.0 release? You can use --exclude-file-config option to specify exclude file path list.

[thl-cmk]

@xeraph just tested. Windows looks good. Linux dosen't work :-(

the config file

thl-cmk@checkmk:~$ sudo cat /etc/check_mk/cve_2021_44228_log4j_exclude_files.cfg
# Specify file list. Files should be separated by new line. Prepend # for comment.
/home/thl-cmk/.cache/JetBrains/PyCharmCE2020.3/plugins/ideolog.zip
/home/thl-cmk/.cache/JetBrains/PyCharmCE2021.1/plugins/PowerShell.zip

the output from the scanner

thl-cmk@checkmk:~$ sudo /usr/lib/check_mk_agent/bin/log4j2-scan --exclude /mnt --exclude-file-config /etc/check_mk/cve_2021_44228_log4j_exclude_files.cfg --scan-logback --scan-log4j1 --scan-zip --no-symlink --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.7.1 (2022-01-02)
Scanning directory: / (without /mnt, /dev, /run, /dev/shm, /run/lock, /sys/fs/cgroup, /proc/sys/fs/binfmt_misc, /run/user/1000, /mnt/build, /mnt/cmk16nb)
Skipping broken jar file /home/thl-cmk/.cache/JetBrains/PyCharmCE2020.3/plugins/ideolog.zip ('Unexpected record signature: 0X1614')
Skipping broken jar file /home/thl-cmk/.cache/JetBrains/PyCharmCE2021.1/plugins/PowerShell.zip ('Unexpected record signature: 0X1754')
[?] Found CVE-2021-4104  (log4j 1.2) vulnerability in /usr/bin/pycharm/pycharm-community-2021.1.3/lib/log4j.jar, log4j 1.2.17.2 (mitigated)

Scanned 36078 directories and 297538 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 1 mitigated files
Completed in 33.60 seconds

as you can see the excluded files are not excluded.

[thl-cmk]

@xeraph I did a little more digging on the Linux issu with the --exclude-file-config option. Looks like it is working for zip files that get skipped because of ('zip END header not found') but not for files skipped becaus of ('Unexpected record signature: 0X1614') for example or ('unsupported feature encryption used in entry settings').

Hope this will help to get this option fixed ;-)