What's the difference between vulnerable and potentially vulnerable results when running scan_log4j1

logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228

Apache License 2.0

850 stars 174 forks source link

What's the difference between vulnerable and potentially vulnerable results when running scan_log4j1 #195

Closed bpapitto closed 2 years ago

bpapitto commented 2 years ago

I ran the tool using the --scan-log4j1 switch ( Enables scanning for log4j. Scan results indicate 5 potentially vulnerable files and no vulnerable files. What's the difference between vulnerable and potentially vulnerable files and are potentially vulnerable files a risk?

xeraph commented 2 years ago

@bpapitto See https://github.com/logpresso/CVE-2021-44228-Scanner/issues/164#issuecomment-997737956