Option --silent not working proper or at least needs more options/levels

[MaXGitteR]

when using oprion "--silent" only lines like "Running scan (30s): scanned 5714 directories, 62725 files, last visit: /oracle/..." get filtered.

But lines like:

• Logpresso CVE-2021-44228 Vulnerability Scanner 2.7.1 (2022-01-02)
• Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /proc/sys/fs/binfmt_misc, /run/user/599, /run/user/500, /run/user/30001, )
• Scan error: '/opt/../codebase/svlbase.jar (A file or directory in the path name does not exist.)
• Skipping broken jar file /opt/syslink/j.../unlimited/._local_policy.jar ('zip END header not found')
• Scan error: '/sapmnt/.../ngdbc.jar (Permission denied)' on file: /sapmnt/.../ngdbc.jar are not filtered.

And also the result looks the same: "Scanned 11646 directories and 248570 files Found 1 vulnerable files Found 0 potentially vulnerable files Found 0 mitigated files Completed in 44.00 seconds (time: 44038 ms) "

So when using silent I only want the result like this:

• [*] Found CVE-2021-44832 (log4j 2.x) vulnerability in ...
• [*] Found CVE-2021-44228 (log4j 2.x) vulnerability in ...
• [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in ...

Maybe there should be levels of option silent. --silent 1 --silent 2 --silent 3 ...

[xeraph]

@MaXGitteR This is by design. You can use log4j2-scan .. | grep Found for your needs.

[MaXGitteR]

Hello xeraph, thank you for the hint with grep. This maybe could be a workaround for my needs.

But please check the description of silent: "--silent Do not print anything until scan is completed." This is not true, it prints a lot during the scan.

lines like:

• Logpresso CVE-2021-44228 Vulnerability Scanner 2.7.1 (2022-01-02)
• Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /proc/sys/fs/binfmt_misc, /run/user/599, /run/user/500, /run/user/30001, )
• Scan error: '/opt/../codebase/svlbase.jar (A file or directory in the path name does not exist.)
• Skipping broken jar file /opt/syslink/j.../unlimited/._local_policy.jar ('zip END header not found')
• Scan error: '/sapmnt/.../ngdbc.jar (Permission denied)' on file: /sapmnt/.../ngdbc.jar are not filtered.
• the findings

and at the end

• the summary

I believe the description is incorrect, as silent only suppresses lines like "Running scan...".

But I believe the option actually had a different goal, as mentioned, this should be used to set what is output. Maybe siltent is not the correct option for setting the output level, but than there should be another option for the output level.

Regards

[xeraph]

@MaXGitteR Yes, you are right.. I will fix description in the next release.

[MaXGitteR]

Hello xeraph,

we tried now with grep on linux (| grep "Found CVE") and it is working, but the problem is, that we now get the return code of the grep and this is no error. So in our monitoring we have now now errors/findings any more ... On windows we have another error with (| findstr /c:"Found CVE") , it has problems with pathnames, but only when excecuted remote. When executing direct in cmd on the server it is also working like linux. So I think we can fix the path problem, but than have the same problem with the return code.

So would it be possible for you to add an option for filtering/selecting what should be returned/the output? We would like to have an output with only the "Found CVE" lines.

Regards

[xeraph]

@MaXGitteR For monitoring purpose, I suggest using --report-json and read generated report file. It is structured, human-readable, and machine-readable.

[xeraph]

But please check the description of silent: "--silent Do not print anything until scan is completed." This is not true, it prints a lot during the scan.

Description is fixed in https://github.com/logpresso/CVE-2021-44228-Scanner/commit/e6e6b03f88a5b003569a316648a33e78f4363fa1#diff-b3ed177bd937a3421fda5fd328a11ed190ab2eb7253c9dd3fd6061b3424c06b3R149

Closed.