Support deep nested JAR and patch for spring boot JAR, Added --silent option.

Author: xeraph

README.md

@@ -3,40 +3,42 @@
 log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 vulnerability (log4j 2.15.0).
 
 ### Download
-* [log4j2-scan 1.4.0 (Windows x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.4.0/logpresso-log4j2-scan-1.4.0-win64.7z)
+* [log4j2-scan 1.5.0 (Windows x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.5.0/logpresso-log4j2-scan-1.5.0-win64.7z)
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 1.4.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.4.0/logpresso-log4j2-scan-1.4.0-linux.tar.gz)
+* [log4j2-scan 1.5.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.5.0/logpresso-log4j2-scan-1.5.0-linux.tar.gz)
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 1.4.0 (Any OS, 10KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.4.0/logpresso-log4j2-scan-1.4.0.jar)
+* [log4j2-scan 1.5.0 (Any OS, 10KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.5.0/logpresso-log4j2-scan-1.5.0.jar)
 
 ### How to use
 Just run log4j2-scan.exe or log4j2-scan with target directory path.
 
 Usage
 ```
-Logpresso CVE-2021-44228 Vulnerability Scanner 1.4.0 (2021-12-15)
+Logpresso CVE-2021-44228 Vulnerability Scanner 1.5.0 (2021-12-15)
 Usage: log4j2-scan [--fix] target_path
 
 --fix
-	Backup original file and remove JndiLookup.class from JAR recursively.
+        Backup original file and remove JndiLookup.class from JAR recursively.
 --force-fix
-	Do not prompt confirmation. Don't use this option unless you know what you are doing.
+        Do not prompt confirmation. Don't use this option unless you know what you are doing.
 --debug
-	Print exception stacktrace for debugging.
+        Print exception stacktrace for debugging.
 --trace
-	Print all directories and files while scanning.
+        Print all directories and files while scanning.
+--silent
+        Do not print anything until scan is completed.
 --scan-zip
-	Scan also .zip extension files. This option may slow down scanning.
+        Scan also .zip extension files. This option may slow down scanning.
 --no-symlink
-	Do not detect symlink as vulnerable file.
+        Do not detect symlink as vulnerable file.
 --exclude [path_prefix]
-	Exclude specified paths. You can specify multiple --exclude [path_prefix] pairs
+        Exclude specified paths. You can specify multiple --exclude [path_prefix] pairs
 --exclude-config [file_path]
-	Specify exclude path list in text file. Paths should be separated by new line. Prepend # for comment.
+        Specify exclude path list in text file. Paths should be separated by new line. Prepend # for comment.
 --all-drives
-	Scan all drives on Windows
+        Scan all drives on Windows
 --drives c,d
-	Scan specified drives on Windows. Spaces are not allowed here.
+        Scan specified drives on Windows. Spaces are not allowed here.
 ```
 
 On Windows
@@ -49,7 +51,7 @@ On Linux
 ```
 On UNIX (AIX, Solaris, and so on)
 ```
-java -jar logpresso-log4j2-scan-1.4.0.jar [--fix] target_path
+java -jar logpresso-log4j2-scan-1.5.0.jar [--fix] target_path
 ```
 
 If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. It is necessary to shutdown any running JVM process before applying patch. Start affected JVM process after fix.

pom.xml

@@ -6,7 +6,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.logpresso</groupId>
 	<artifactId>log4j2-scanner</artifactId>
-	<version>1.4.0</version>
+	<version>1.5.0</version>
 	<packaging>jar</packaging>
 	<name>Logpresso Log4j2 Scanner</name>
 

src/main/java/com/logpresso/scanner/DummyInputStream.java

@@ -0,0 +1,74 @@
+package com.logpresso.scanner;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+// don't close underlying InputStream on close
+public class DummyInputStream extends InputStream {
+
+	private InputStream is;
+
+	public DummyInputStream(InputStream is) {
+		this.is = is;
+	}
+
+	@Override
+	public int read() throws IOException {
+		return is.read();
+	}
+
+	@Override
+	public int read(byte[] b) throws IOException {
+		return is.read(b);
+	}
+
+	@Override
+	public int read(byte[] b, int off, int len) throws IOException {
+		return is.read(b, off, len);
+	}
+
+	@Override
+	public long skip(long n) throws IOException {
+		return is.skip(n);
+	}
+
+	@Override
+	public int available() throws IOException {
+		return is.available();
+	}
+
+	@Override
+	public void close() throws IOException {
+		// ignore intentionally
+	}
+
+	@Override
+	public synchronized void mark(int readlimit) {
+		is.mark(readlimit);
+	}
+
+	@Override
+	public synchronized void reset() throws IOException {
+		is.reset();
+	}
+
+	@Override
+	public boolean markSupported() {
+		return is.markSupported();
+	}
+
+	@Override
+	public int hashCode() {
+		return is.hashCode();
+	}
+
+	@Override
+	public boolean equals(Object obj) {
+		return is.equals(obj);
+	}
+
+	@Override
+	public String toString() {
+		return is.toString();
+	}
+}