Ignore WinRAR files without error message, Resolve hostname using /etc/hosname. v2.1.3

Author: xeraph

README.md

@@ -3,12 +3,12 @@
 log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0) and CVE-2021-4104 (log4j 1.x) vulnerabilities.
 
 ### Download
-* [log4j2-scan 2.1.2 (Windows x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.1.2/logpresso-log4j2-scan-2.1.2-win64.7z)
+* [log4j2-scan 2.1.3 (Windows x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.1.3/logpresso-log4j2-scan-2.1.3-win64.7z)
   * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 2.1.2 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.1.2/logpresso-log4j2-scan-2.1.2-linux.tar.gz)
+* [log4j2-scan 2.1.3 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.1.3/logpresso-log4j2-scan-2.1.3-linux.tar.gz)
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 2.1.2 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.1.2/logpresso-log4j2-scan-2.1.2.jar)
+* [log4j2-scan 2.1.3 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.1.3/logpresso-log4j2-scan-2.1.3.jar)
 
 ### Build
 * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
@@ -18,7 +18,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path.
 
 Usage
 ```
-Logpresso CVE-2021-44228 Vulnerability Scanner 2.1.2 (2021-12-17)
+Logpresso CVE-2021-44228 Vulnerability Scanner 2.1.3 (2021-12-17)
 Usage: log4j2-scan [--fix] target_path1 target_path2
 
 --fix
@@ -71,7 +71,7 @@ On Linux
 ```
 On UNIX (AIX, Solaris, and so on)
 ```
-java -jar logpresso-log4j2-scan-2.1.2.jar [--fix] target_path
+java -jar logpresso-log4j2-scan-2.1.3.jar [--fix] target_path
 ```
 
 If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. It is necessary to shutdown any running JVM process before applying patch. Start affected JVM process after fix.

pom.xml

@@ -6,7 +6,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.logpresso</groupId>
 	<artifactId>log4j2-scanner</artifactId>
-	<version>2.1.2</version>
+	<version>2.1.3</version>
 	<packaging>jar</packaging>
 	<name>Logpresso Log4j2 Scanner</name>
 

src/main/java/com/logpresso/scanner/Log4j2Scanner.java

@@ -41,7 +41,7 @@
 import java.util.zip.ZipOutputStream;
 
 public class Log4j2Scanner {
-	private static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner 2.1.2 (2021-12-17)";
+	private static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner 2.1.3 (2021-12-17)";
 
 	public enum Status {
 		NOT_VULNERABLE, MITIGATED, POTENTIALLY_VULNERABLE, VULNERABLE;
@@ -1316,12 +1316,29 @@ private void ensureClose(ZipFile zipFile) {
 		}
 	}
 
-	private static String getHostname() {
+	private String getHostname() {
 		// Try to fetch hostname without DNS resolving for closed network
 		if (isWindows) {
 			return System.getenv("COMPUTERNAME");
 		} else {
-			return System.getenv("HOSTNAME");
+			String hostname = System.getenv("HOSTNAME");
+			if (hostname != null && !hostname.trim().isEmpty())
+				return hostname;
+
+			// try /etc/hostname
+			File f = new File("/etc/hostname");
+			if (!f.exists() || !f.canRead())
+				return null;
+
+			BufferedReader br = null;
+			try {
+				br = new BufferedReader(new InputStreamReader(new FileInputStream(f)));
+				return br.readLine();
+			} catch (IOException e) {
+				return null;
+			} finally {
+				ensureClose(br);
+			}
 		}
 	}
 }