Added missing mitigated tag for log4j1 and logback detection.

Author: xeraph

README.md

@@ -3,14 +3,14 @@
 log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-4104 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.
 
 ### Download
-* [log4j2-scan 2.3.0 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.0/logpresso-log4j2-scan-2.3.0-win64.7z)
-* [log4j2-scan 2.3.0 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.0/logpresso-log4j2-scan-2.3.0-win64.zip)
+* [log4j2-scan 2.3.1 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.1/logpresso-log4j2-scan-2.3.1-win64.7z)
+* [log4j2-scan 2.3.1 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.1/logpresso-log4j2-scan-2.3.1-win64.zip)
   * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.  
   * 7zip is available from www.7zip.org, and is open source and free.
-* [log4j2-scan 2.3.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.0/logpresso-log4j2-scan-2.3.0-linux.tar.gz)
+* [log4j2-scan 2.3.1 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.1/logpresso-log4j2-scan-2.3.1-linux.tar.gz)
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 2.3.0 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.0/logpresso-log4j2-scan-2.3.0.jar)
+* [log4j2-scan 2.3.1 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.1/logpresso-log4j2-scan-2.3.1.jar)
 
 ### Build
 * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
@@ -20,7 +20,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress
 
 Usage
 ```
-Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.0 (2021-12-18)
+Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.1 (2021-12-18)
 Usage: log4j2-scan [--fix] target_path1 target_path2
 
 -f [config_file_path]
@@ -81,7 +81,7 @@ On Linux
 ```
 On UNIX (AIX, Solaris, and so on)
 ```
-java -jar logpresso-log4j2-scan-2.3.0.jar [--fix] target_path
+java -jar logpresso-log4j2-scan-2.3.1.jar [--fix] target_path
 ```
 
 If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. Depending the Operating System:

pom.xml

@@ -6,7 +6,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.logpresso</groupId>
 	<artifactId>log4j2-scanner</artifactId>
-	<version>2.3.0</version>
+	<version>2.3.1</version>
 	<packaging>jar</packaging>
 	<name>Logpresso Log4j2 Scanner</name>
 

src/main/java/com/logpresso/scanner/Detector.java

@@ -223,23 +223,23 @@ private DetectResult scanStream(File jarFile, InputStream is, List<String> pathC
 			}
 
 			if (log4j1Version != null) {
-				printDetectionForLog4j1(jarFile, pathChain, log4j1Version);
+				printDetectionForLog4j1(jarFile, pathChain, log4j1Version, !foundJmsAppender);
 				if (foundJmsAppender)
 					result.setPotentiallyVulnerableLog4j1();
 				else
 					result.setMitigated();
 			} else if (foundJmsAppender) {
-				printDetectionForLog4j1(jarFile, pathChain, POTENTIALLY_VULNERABLE);
+				printDetectionForLog4j1(jarFile, pathChain, POTENTIALLY_VULNERABLE, false);
 			}
 
 			if (logbackVersion != null) {
-				printDetectionForLogback(jarFile, pathChain, logbackVersion);
+				printDetectionForLogback(jarFile, pathChain, logbackVersion, !foundJndiUtil);
 				if (foundJndiUtil)
 					result.setPotentiallyVulnerableLogback();
 				else
 					result.setMitigated();
 			} else if (foundJndiUtil) {
-				printDetectionForLogback(jarFile, pathChain, POTENTIALLY_VULNERABLE);
+				printDetectionForLogback(jarFile, pathChain, POTENTIALLY_VULNERABLE, false);
 			}
 
 			return result;
@@ -328,23 +328,29 @@ else if (version.startsWith("2.16.") || version.equals("2.12.2"))
 		addReport(jarFile, pathChain, version, mitigated, potential);
 	}
 
-	private void printDetectionForLog4j1(File jarFile, List<String> pathChain, String version) {
+	private void printDetectionForLog4j1(File jarFile, List<String> pathChain, String version, boolean mitigated) {
 		String path = jarFile.getAbsolutePath();
 		if (pathChain != null && !pathChain.isEmpty())
 			path += " (" + StringUtils.toString(pathChain) + ")";
 
 		String msg = "[?] Found CVE-2021-4104  (log4j 1.2) vulnerability in " + path + ", log4j " + version;
+		if (mitigated)
+			msg += " (mitigated)";
+
 		System.out.println(msg);
 
 		addReport(jarFile, pathChain, version, false, true);
 	}
 
-	private void printDetectionForLogback(File jarFile, List<String> pathChain, String version) {
+	private void printDetectionForLogback(File jarFile, List<String> pathChain, String version, boolean mitigated) {
 		String path = jarFile.getAbsolutePath();
 		if (pathChain != null && !pathChain.isEmpty())
 			path += " (" + StringUtils.toString(pathChain) + ")";
 
 		String msg = "[?] Found CVE-2021-42550 (logback 1.2.7) vulnerability in " + path + ", logback " + version;
+		if (mitigated)
+			msg += " (mitigated)";
+
 		System.out.println(msg);
 
 		addReport(jarFile, pathChain, version, false, true);

src/main/java/com/logpresso/scanner/Log4j2Scanner.java

@@ -15,7 +15,7 @@
 import com.logpresso.scanner.utils.ZipUtils;
 
 public class Log4j2Scanner {
-	private static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.0 (2021-12-19)";
+	private static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.1 (2021-12-19)";
 
 	private static final boolean isWindows = File.separatorChar == '\\';