Detect also shaded Log4j2, Log4j1 JAR files. v2.3.0

Author: xeraph

README.md

@@ -3,14 +3,14 @@
 log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-4104 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.
 
 ### Download
-* [log4j2-scan 2.2.2 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.2.2/logpresso-log4j2-scan-2.2.2-win64.7z)
-* [log4j2-scan 2.2.2 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.2.2/logpresso-log4j2-scan-2.2.2-win64.zip)
+* [log4j2-scan 2.3.0 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.0/logpresso-log4j2-scan-2.3.0-win64.7z)
+* [log4j2-scan 2.3.0 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.0/logpresso-log4j2-scan-2.3.0-win64.zip)
   * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.  
   * 7zip is available from www.7zip.org, and is open source and free.
-* [log4j2-scan 2.2.2 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.2.2/logpresso-log4j2-scan-2.2.2-linux.tar.gz)
+* [log4j2-scan 2.3.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.0/logpresso-log4j2-scan-2.3.0-linux.tar.gz)
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 2.2.2 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.2.2/logpresso-log4j2-scan-2.2.2.jar)
+* [log4j2-scan 2.3.0 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.0/logpresso-log4j2-scan-2.3.0.jar)
 
 ### Build
 * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
@@ -20,7 +20,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress
 
 Usage
 ```
-Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)
+Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.0 (2021-12-18)
 Usage: log4j2-scan [--fix] target_path1 target_path2
 
 -f [config_file_path]
@@ -81,7 +81,7 @@ On Linux
 ```
 On UNIX (AIX, Solaris, and so on)
 ```
-java -jar logpresso-log4j2-scan-2.2.2.jar [--fix] target_path
+java -jar logpresso-log4j2-scan-2.3.0.jar [--fix] target_path
 ```
 
 If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. Depending the Operating System:

pom.xml

@@ -6,7 +6,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.logpresso</groupId>
 	<artifactId>log4j2-scanner</artifactId>
-	<version>2.2.2</version>
+	<version>2.3.0</version>
 	<packaging>jar</packaging>
 	<name>Logpresso Log4j2 Scanner</name>
 

src/main/java/com/logpresso/scanner/DetectResult.java

@@ -0,0 +1,85 @@
+package com.logpresso.scanner;
+
+public class DetectResult {
+	private boolean vulnerable = false;
+	private boolean mitigated = false;
+	private boolean potentiallyVulnerableLog4j2 = false;
+	private boolean potentiallyVulnerableLog4j1 = false;
+	private boolean potentiallyVulnerableLogback = false;
+	private boolean nestedJar = false;
+
+	public void merge(DetectResult result) {
+		vulnerable |= result.isVulnerable();
+		mitigated |= result.isMitigated();
+		potentiallyVulnerableLog4j1 |= result.isPotentiallyVulnerableLog4j1();
+		potentiallyVulnerableLog4j2 |= result.isPotentiallyVulnerableLog4j2();
+		potentiallyVulnerableLogback |= result.isPotentiallyVulnerableLogback();
+	}
+
+	public boolean isVulnerable() {
+		return vulnerable;
+	}
+
+	public void setVulnerable() {
+		this.vulnerable = true;
+	}
+
+	public boolean isMitigated() {
+		return mitigated;
+	}
+
+	public void setMitigated() {
+		this.mitigated = true;
+	}
+
+	public boolean isPotentiallyVulnerableLog4j2() {
+		return potentiallyVulnerableLog4j2;
+	}
+
+	public void setPotentiallyVulnerableLog4j2() {
+		this.potentiallyVulnerableLog4j2 = true;
+	}
+
+	public boolean isPotentiallyVulnerableLog4j1() {
+		return potentiallyVulnerableLog4j1;
+	}
+
+	public void setPotentiallyVulnerableLog4j1() {
+		this.potentiallyVulnerableLog4j1 = true;
+	}
+
+	public boolean isPotentiallyVulnerableLogback() {
+		return potentiallyVulnerableLogback;
+	}
+
+	public void setPotentiallyVulnerableLogback() {
+		this.potentiallyVulnerableLogback = true;
+	}
+
+	public boolean hasNestedJar() {
+		return nestedJar;
+	}
+
+	public void setNestedJar(boolean nestedJar) {
+		this.nestedJar |= nestedJar;
+	}
+
+	public Status getStatus() {
+		if (vulnerable)
+			return Status.VULNERABLE;
+		else if (mitigated)
+			return Status.MITIGATED;
+		else if (isPotentiallyVulnerable())
+			return Status.POTENTIALLY_VULNERABLE;
+		return Status.NOT_VULNERABLE;
+	}
+
+	public boolean isPotentiallyVulnerable() {
+		return potentiallyVulnerableLog4j2 || potentiallyVulnerableLog4j1 || potentiallyVulnerableLogback;
+	}
+
+	public boolean isFixRequired() {
+		// Don't touch potentially vulnerable log4j2
+		return vulnerable || potentiallyVulnerableLog4j1 || potentiallyVulnerableLogback;
+	}
+}