Closed nikaiw closed 2 years ago
cc @ddworken
This reflects some of our internal expectations that users must upgrade to +2.16.x.
I don't really have a good answer for this request. The heuristics are brittle because JARs don't provide dependency version information in the archive. Also, supporting versions of Java that are end-of-lifed (Java 6) or end-of-lifed without a support contract (Java 7) isn't a high priority for us.
https://www.oracle.com/java/technologies/java-se-support-roadmap.html
We can definitely document this. I don't think we'd want to take code changes though (maybe an external hook?).
I understand the point of view, althought in my opinion this might give a false feeling of insecurity to application owners who would have a jvm7/jvm 6 application which was already updated to latest available log4j libraries.
Moreover, solving the problem looks (at first glance) easy and would simplify the detection method. ( I think it should at least be documented as the purpose of the scanner is to find vulnerable libraries and it is currently reporting non-vulnerable one).
The apache foundation continue to maintains log4j version specifically compatible with JVM7 and JVM6.
Thus: - version 2.12.2 (Java7) and version 2.3.1 (Java6) came out with patch like 2.16.0.
Unfortunately current detection stategy detect those version as vulnerable.
It is all the more unfortunate since the little brittle of checking the presence of "isJndiEnabled" seems a sufficient method for the moment.
As an example running the following command on a directory with all the existing log4j 2 branche will show all the patched version :
Running the log4scanner on the same directory with debug print()
We can see that 2.12.2, 2.12.3, 2.3.1 are matching the 216Pattern + Yara rule pattern and are wrongly detected as vulnerable