incorrectly flagging embedded jar file as effected

logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228

Apache License 2.0

854 stars 175 forks source link

incorrectly flagging embedded jar file as effected #246

Open bvallabhaneni opened 2 years ago

bvallabhaneni commented 2 years ago

The scanner is looking for The scan tool uses the following file to determine the log4j version and in the embedded jar ant is removing this file. is there a way not to flag 2.17.1 as effected? META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties

xeraph commented 2 years ago

@bvallabhaneni There is no way if pom.properties is not embedded. Another detection method (e.g. hash comparison) is required to implement it, however I don't have much time right now.

xeraph commented 2 years ago

@bvallabhaneni Would you test v3.0.1 release? It can detect log4j version without pom.properties.