In Go 1.19 the standard library's archive/zip package will
automatically and silently handle a prefixed zip file.
The log4jscanner package expects to handle the offset itself.
To let log4jscanner work with both Go 1.18 and 1.19,
change it to read the offset first, before using the archive/zip
package.
Tested by running tests with both Go 1.18 and Go tip.
Without this change, Go tip fails with
--- FAIL: TestAutoMitigateExecutable (0.00s)
--- FAIL: TestAutoMitigateExecutable/helloworld-executable (0.00s)
rewrite_test.go:247: expected offset for executable testdata/helloworld-executable: got=0
--- FAIL: TestAutoMitigateExecutable/vuln-class-executable (0.00s)
rewrite_test.go:247: expected offset for executable testdata/vuln-class-executable: got=0
FAIL
FAIL github.com/google/log4jscanner/jar 34.541s
In Go 1.19 the standard library's archive/zip package will automatically and silently handle a prefixed zip file. The log4jscanner package expects to handle the offset itself. To let log4jscanner work with both Go 1.18 and 1.19, change it to read the offset first, before using the archive/zip package.
Tested by running tests with both Go 1.18 and Go tip. Without this change, Go tip fails with --- FAIL: TestAutoMitigateExecutable (0.00s) --- FAIL: TestAutoMitigateExecutable/helloworld-executable (0.00s) rewrite_test.go:247: expected offset for executable testdata/helloworld-executable: got=0 --- FAIL: TestAutoMitigateExecutable/vuln-class-executable (0.00s) rewrite_test.go:247: expected offset for executable testdata/vuln-class-executable: got=0 FAIL FAIL github.com/google/log4jscanner/jar 34.541s