ericchiang
commented
2 years ago cc @ddworken
The scanner only supports log4j. It looks for byte patterns in files to infer versions and usages, rather than depending on class names or a metadata file, so it wouldn't be free to add other versions of other packages.
We've discussed expanding this to a general scanning framework, so you'd only have to walk the filesystem once, but that's a different project and it's not clear how you'd keep the scope or scale manageable.
Going to close for now, since we're not planning on adding other packages for now.
TianXiaPlus
Logback, another log conpoment, was disclosed a vulnerability in CVE-2021-42550. So, can this tool scan vulnerabilities of other log conpoments, such Logback and java.util.logging.Logger?