search

logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
Apache License 2.0
852 stars 173 forks source link

Query regarding how to build native image #212

Closed sds83uk closed 2 years ago

sds83uk commented 2 years ago

I should probably start this query with a disclaimer...

I am not a Java developer but was asked if I could build the scanner, from source, into a Windows executable. It is a bit long-winded (and all new to me) but the short version is that I have found a way to install+configure the necessary components (initially in a Windows Sandbox) to allow me to "package" using VSCode+Maven and create the "native-image" as described here:

https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ

I recognise that a lot of fantastic work has been going on by all contributors and my old method is no longer working for two reasons:

1. Removal of scanner.json

native-image -jar .\cve-2021-44228-scanner-2.6.1\target\log4j2-scanner-2.6.1.jar log4j2-scan-2.6.1 -H:-CheckToolchain -H:ReflectionConfigurationFiles=.\cve-2021-44228-scanner-2.6.1\scanner.json

[log4j2-scan-2.6.1:88]    classlist:   8,739.36 ms,  0.96 GB
[log4j2-scan-2.6.1:88]        (cap):   5,463.59 ms,  0.96 GB
[log4j2-scan-2.6.1:88]        setup:   6,938.66 ms,  0.96 GB
Error: The reflection configuration file "C:\Users\WDAGUtilityAccount\Documents\.\cve-2021-44228-scanner-2.6.1\scanner.json" does not exist.
Error: Use -H:+ReportExceptionStackTraces to print stacktrace of underlying exception
[log4j2-scan-2.6.1:88]      [total]:  15,805.97 ms,  0.96 GB
# Printing build artifacts to: C:\Users\WDAGUtilityAccount\Documents\log4j2-scan-2.6.1.build_artifacts.txt
Error: Image build request failed with exit status 1

2. Dependency (org.apache.commons.compress)

native-image -jar .\cve-2021-44228-scanner-2.6.1\target\log4j2-scanner-2.6.1.jar

[log4j2-scan:15020]    classlist:   7,372.21 ms,  0.96 GB
[log4j2-scan:15020]        (cap):   2,373.99 ms,  0.96 GB
Warning: Could not resolve org.apache.commons.compress.archivers.zip.AsiExtraField for reflection configuration. Reason: java.lang.ClassNotFoundException: org.apache.commons.compress.archivers.zip.AsiExtraField.
... etc ...
Warning: Could not resolve org.apache.commons.compress.archivers.zip.ResourceAlignmentExtraField for reflection configuration. Reason: java.lang.ClassNotFoundException: org.apache.commons.compress.archivers.zip.ResourceAlignmentExtraField.
[log4j2-scan:15020]        setup:   5,606.78 ms,  0.96 GB
[log4j2-scan:15020]     (clinit):     865.20 ms,  1.56 GB
[log4j2-scan:15020]   (typeflow):  13,594.26 ms,  1.56 GB
[log4j2-scan:15020]    (objects):  24,443.31 ms,  1.56 GB
[log4j2-scan:15020]   (features):   6,393.23 ms,  1.56 GB
[log4j2-scan:15020]     analysis:  48,893.50 ms,  1.56 GB
[log4j2-scan:15020]     universe:   3,244.71 ms,  1.56 GB
[log4j2-scan:15020]      (parse):   2,526.12 ms,  1.56 GB
[log4j2-scan:15020]     (inline):  11,495.20 ms,  1.44 GB
[log4j2-scan:15020]    (compile):  14,865.42 ms,  1.47 GB
[log4j2-scan:15020]      compile:  34,052.47 ms,  1.48 GB
[log4j2-scan:15020]        image:   2,649.78 ms,  1.48 GB
[log4j2-scan:15020]        write:     631.30 ms,  1.48 GB
[log4j2-scan:15020]      [total]: 103,094.29 ms,  1.48 GB
# Printing build artifacts to: C:\Users\WDAGUtilityAccount\Documents\log4j2-scan.build_artifacts.txt

Having seen most of the commits to improve the build process (now including some of the native-image options previously required) I found an additional "-package.jar" file is created that can be built with a simplified command:

native-image -jar .\cve-2021-44228-scanner-2.6.1\target\log4j2-scanner-2.6.1-package.jar

Are you able to advise whether it is appropriate to create the native image from the -package.jar file in this way? I also accept that with my limited knowledge I may be missing a simple trick that will do this all for me; or, that it may be beyond the scope of a simple FAQ.

Thank you again.

lmalmeida commented 2 years ago

Have you tried

 mvn package -Pnative

? ie: on the root directory, use maven to build the package, and pass the -Pnative, to also build the native package. You may need to setup some environment variables (GRAALVM_HOME)

xeraph commented 2 years ago

If you can build JAR using maven, use mvn package -Pnative.

If you just downloaded JAR, and want to build native image using it:

sds83uk commented 2 years ago

Thank you both!

After some experimentation, since Pull Request 172 I have found that I can just:

  1. "Open x64 Native Tools Command Prompt for VS 2019"
  2. Run mvn package -Pnative

Prerequisites for Using Native Image on Windows Lastly, on Windows, the native-image builder will only work when it is executed from the x64 Native Tools Command Prompt. Source: https://www.graalvm.org/reference-manual/native-image/

Whilst the above is now my preferred option, I found that I could also use native-image ... -H:ReflectionConfigurationFiles=reflection-config.json to build the Windows executable against:

One thing that initially tripped me up was that when I tried run the command mvn package -Pnative in the VS Code terminal, I encountered this error (again): Error: Default native-compiler executable 'cl.exe' not found via environment variable PATH

Unless anyone has any counter advice, I found this the first time I had problems with native-image:

"Once you've installed Visual Studio, all of your build commands should be run through the Native Tools Command Prompt. If you keep the default Start Menu shortcuts while installing Visual Studio, this will be accessible at: Start -> Visual Studio 2019 -> Tools -> x64 Native Tools Command Prompt Source: https://stackoverflow.com/questions/64197329/cl-exe-missing-when-building-native-app-using-graalvm

xeraph commented 2 years ago

@sds83uk Your logs will be helpful to many people trying to build own image. :D