xeraph
commented
2 years ago @smartcitygame Would you test v2.5.0 release? It can meet your requirement. :D
Closed smartcitygame closed 2 years ago
xeraph
commented
2 years ago @smartcitygame Would you test v2.5.0 release? It can meet your requirement. :D
smartcitygame
commented
2 years ago Hi, could you give me some tips how to test? I could find any new parameter that will change this bkp extension or maybe it is combined with other functionality?
xeraph
commented
2 years ago @smartcitygame v2.5.0 doesn't keep .bak files in each directory. Instead, scanner archives all .bak files in zip file and delete it. No option changes. Default behavior is changed.
smartcitygame
commented
2 years ago Hi functionality works, unfortunately for me problem will preserve as our scanners (also yours) can look into zip archives and it will find this jars with vulnerable classes. Really renaming of extension for me is the only option.
xeraph
commented
2 years ago @smartcitygame OK I will add an option. :D
smartcitygame
commented
2 years ago Thank you. It is great tool. Really amazing job you all did!!!
xeraph
commented
2 years ago @smartcitygame Would you test v2.5.2 release? Use --backup-ext option. e.g. --backup-ext bak.
BTW, Why do you use another scanner? Is something missing in log4j2-scan?
smartcitygame
commented
2 years ago Thank you!!!
We are using also https://github.com/mergebase/log4j-detector, but it only reports if file is affected and mostly focusses on log4j2. I prefer your scanner/fixer :) it is much better.
Hi,
right now backup file is with .jar.bak extension. Could you add possibility to rename .jar extension to just new extension eg .bak or .xxx (could be parameter) that in future this backed files will not be scanned by some automatic tools? Right now lots of scans look for .jar files. Systems are alive so each day new things comes and even some files could be overwritten (even the fixed ones), so this functionality will prevent of fixing or scanning backed up files.