Open thl-cmk opened 2 years ago
xeraph
commented
2 years ago @thl-cmk You are right. Current version only excludes directories for maximum scan speed. If scanner tries to exclude also files, it should match all files (millions of..) and performance will be severely degraded. If you want to scan specific files, compose log4j2-scan with find command.
thl-cmk
commented
2 years ago I see.
If you want to scan specific files I want exacly the oposite, scann all files except a few...
xeraph
commented
2 years ago Maybe another option should be added for that.. Exact full path match is relatively cheap (can use hash code), but current option uses prefix match for directory matching.. (comparison count = exclude pattern count x file count)
thl-cmk
commented
2 years ago Exact full path match is relatively cheap
would be great to have this, so I could exclude known errors (broken zip for any reason for example)
mrl-siemens
commented
2 years ago This discussion confirms that --exclude-pattern is completely non-functional for files and will continue to be. Please update the help output to clarify that the pattern only applies to directory names, not file names.
xeraph
commented
2 years ago @mrl-siemens Send me Pull Request. I think it already states directory like this:
--exclude [path_prefix]
Full paths of ***directories*** whose absolute path starts with the specified value will be excluded.
Does not support relative paths. You can specify multiple --exclude [path_prefix] pairs
--exclude-pattern [pattern]
Exclude specified paths of ***directories*** by pattern. Supports fragments.
You can specify multiple --exclude-pattern [pattern] pairs (non regex)Greetings,
Similar language for the --exclude-filter option would be great.
Sorry, I have no experience with GitHub. What is a PR?
Thanks, Mark
From: Yang, BongYeol (xeraph) @.> Sent: Thursday, December 30, 2021 11:20 AM To: logpresso/CVE-2021-44228-Scanner @.> Cc: Ludwig, Mark (DI SW LCS APPS TC-ENT) @.>; Mention @.> Subject: Re: [logpresso/CVE-2021-44228-Scanner] Can not exclude specific files (only paths/directories is working) (Issue #223)
@mrl-siemenshttps://github.com/mrl-siemens Send me PR. I think it already states directory like this:
--exclude [path_prefix]
Full paths of ***directories*** whose absolute path starts with the specified value will be excluded.
Does not support relative paths. You can specify multiple --exclude [path_prefix] pairs— Reply to this email directly, view it on GitHubhttps://github.com/logpresso/CVE-2021-44228-Scanner/issues/223#issuecomment-1003116184, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AXDFF4YNYVSYSBAOQYX6TR3UTSIFJANCNFSM5K7LMAGA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>
xeraph
commented
2 years ago @thl-cmk @mrl-siemens
Would you test v2.7.0 release? You can use --exclude-file-config option to specify exclude file path list.
thl-cmk
commented
2 years ago @xeraph just tested. Windows looks good. Linux dosen't work :-(
the config file
thl-cmk@checkmk:~$ sudo cat /etc/check_mk/cve_2021_44228_log4j_exclude_files.cfg
# Specify file list. Files should be separated by new line. Prepend # for comment.
/home/thl-cmk/.cache/JetBrains/PyCharmCE2020.3/plugins/ideolog.zip
/home/thl-cmk/.cache/JetBrains/PyCharmCE2021.1/plugins/PowerShell.zipthe output from the scanner
thl-cmk@checkmk:~$ sudo /usr/lib/check_mk_agent/bin/log4j2-scan --exclude /mnt --exclude-file-config /etc/check_mk/cve_2021_44228_log4j_exclude_files.cfg --scan-logback --scan-log4j1 --scan-zip --no-symlink --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.7.1 (2022-01-02)
Scanning directory: / (without /mnt, /dev, /run, /dev/shm, /run/lock, /sys/fs/cgroup, /proc/sys/fs/binfmt_misc, /run/user/1000, /mnt/build, /mnt/cmk16nb)
Skipping broken jar file /home/thl-cmk/.cache/JetBrains/PyCharmCE2020.3/plugins/ideolog.zip ('Unexpected record signature: 0X1614')
Skipping broken jar file /home/thl-cmk/.cache/JetBrains/PyCharmCE2021.1/plugins/PowerShell.zip ('Unexpected record signature: 0X1754')
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /usr/bin/pycharm/pycharm-community-2021.1.3/lib/log4j.jar, log4j 1.2.17.2 (mitigated)
Scanned 36078 directories and 297538 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 1 mitigated files
Completed in 33.60 seconds
as you can see the excluded files are not excluded.
thl-cmk
commented
2 years ago @xeraph I did a little more digging on the Linux issu with the --exclude-file-config option. Looks like it is working for zip files that get skipped because of ('zip END header not found') but not for files skipped becaus of ('Unexpected record signature: 0X1614') for example or ('unsupported feature encryption used in entry settings').
Hope this will help to get this option fixed ;-)
Hi,
I need to exclude specific files (not paths/directories) from the scan. So far I have tryed the
--excludeand--exclude-configoptions, but no success.and with the --exclude-config option
In both cases the scanner showes the file as excluded but still tryes to scan it.