Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additional output of secure log4j Versions #273

Open
OrbbQ3 opened this issue Feb 8, 2022 · 7 comments
Open

Additional output of secure log4j Versions #273

OrbbQ3 opened this issue Feb 8, 2022 · 7 comments
Assignees
Labels
enhancement New feature or request patch released

Comments

@OrbbQ3
Copy link

OrbbQ3 commented Feb 8, 2022

Hi,

the current implementation does not output secure log4j versions (for example 2.17.1) to the output files (for example csv) and to the console. After investigation in the code, it seems, there are these code fragments in file Detector.java, that prevent this:

...
if (isVulnerableLog4j2(Version.parse(log4j2Version))) {
					printDetectionForLog4j2(jarFile, pathChain, log4j2Version, log4j2Mitigated, false);

...
vulnerable = isVulnerableLog4j1(Version.parse(log4j1Version));
					if (vulnerable)
						printDetectionForLog4j1(jarFile, pathChain, log4j1Version, log4j1Mitigated);
...

Is it possible to ouput this versions as not vulnerable too (for example with a additional command line switch)?

Background:
Output of not vulnerable versions is needed for build up a history in splunk.

Thank you

ChKemper added a commit to atruvia/CVE-2021-44228-Scanner that referenced this issue Feb 8, 2022
Printed versions of secure versions

"Copyright © 2021 Atruvia AG <[email protected]>"
@xeraph xeraph self-assigned this Feb 12, 2022
@xeraph xeraph added the enhancement New feature or request label Feb 12, 2022
@xeraph xeraph closed this as completed in a4bb968 Feb 13, 2022
@xeraph
Copy link
Contributor

xeraph commented Feb 13, 2022

@OrbbQ3 Would you test v3.0.1 release? You can use --report-patch option.

@OrbbQ3
Copy link
Author

OrbbQ3 commented Feb 13, 2022

@ChKemper and @xeraph: first thank you for the implementation. I will test it tomorrow in my test environment and give you the result.

@OrbbQ3
Copy link
Author

OrbbQ3 commented Feb 14, 2022

I tested the new version and get following result:

  • Safe versions are reported to the console
  • but not to the output files (here csv)

Scanner was startet with following arguments:
log4j2-scan.exe --scan-log4j1 --scan-logback --report-patch --scan-zip --all-drives --silent --csv-log-path "C:\log4j.csv"

For example put the file log4j-core-2.17.1.jar from https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip to C:\ and you get the described behaviour.

Can you please take a look into this again?

Thank you

@thl-cmk
Copy link

thl-cmk commented Feb 14, 2022

@xeraph I Like this option. It would be nice to have also an additional summary line like Found 3 safe files, and yes if this information will show up in all the reports/logs this would be perfect :-)

OMD[build]:~$ local/share/check_mk/agents/plugins/log4j2-scan.linux --report-patch --scan-zip /home/thl/apache-log4j-2.17.1-bin.zip 
Logpresso CVE-2021-44228 Vulnerability Scanner 3.0.1 (2022-02-13)
Scanning directory by user 'build': /home/thl/apache-log4j-2.17.1-bin.zip (without /dev, /run, /dev/shm, /run/lock, /sys/fs/cgroup, /proc/sys/fs/binfmt_misc, /opt/omd/sites/build/tmp, /run/user/999, /run/user/1000)
[-] Found safe log4j 2.17.1 version in /home/thl/apache-log4j-2.17.1-bin.zip (apache-log4j-2.17.1-bin/log4j-core-2.17.1.jar)
[-] Found safe log4j 2.17.1 version in /home/thl/apache-log4j-2.17.1-bin.zip (apache-log4j-2.17.1-bin/log4j-core-2.17.1-sources.jar)
[-] Found safe log4j 2.17.1 version in /home/thl/apache-log4j-2.17.1-bin.zip (apache-log4j-2.17.1-bin/log4j-core-2.17.1-tests.jar)

Scanned 0 directories and 1 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
**Found 3 safe files**
Completed in 0.72 seconds

@ChKemper
Copy link
Contributor

Hi @OrbbQ3,

I tested with the files provided at src/test/resources. The patched versions are also shown in the JSON

{ "path": "/.../src/test/resources/log4j2-ok/log4j-core-2.17.1.jar", "status": "NOT_VULNERABLE", "reports": [ { "entry": "", "product": "Log4j 2", "version": "2.17.1", "cve": null, "status": "NOT_VULNERABLE", "fixed": false, "detected_at": "2022-02-14 11:52:21+0100" } ] },

and CSV:
"<hostname>","/.../src/test/resources/log4j2-ok/log4j-core-2.17.1.jar","","Log4j 2","2.17.1","null","NOT_VULNERABLE","","2022-02-14 11:55:03"

I tested with parameters --scan-zip --report-csv --report-json --report-patch src/test/resources
It seems that the reports are not written if you specify a --csv-log-path...

@OrbbQ3
Copy link
Author

OrbbQ3 commented Feb 14, 2022

Hi @ChKemper,

yes, you have right, it works with following call:
log4j2-scan.exe --scan-log4j1 --scan-logback --report-patch --scan-zip --all-drives --silent --report-csv --report-path "C:\log4j.csv"

The only thing, that i have to comment is, that the cve number in report is null. In my opinion this should be an empty string.

The run with the argument --csv-log-path does not work, because this output is done with the methods

  • printDetectionForLog4j2()
  • printDetectionForLog4j1()
    If this should be work too, methods printSafeLog4j2() and printSafeLog4j1() should be merged in the above corresponding methods.

@xeraph: In my opinion, working of this commandline switches should be synced or the switches --csv-log-path (and --json-log-path) should be marked as obsolete.

Thank you

ChKemper added a commit to atruvia/CVE-2021-44228-Scanner that referenced this issue Feb 15, 2022
Printed versions of secure versions - also in given Files
Refactoring report creation

"Copyright © 2021 Atruvia AG <[email protected]>"
@ChKemper
Copy link
Contributor

Hi @OrbbQ3,

I've done a short fix for this: #278

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request patch released
Projects
None yet
Development

No branches or pull requests

4 participants