search

logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
Apache License 2.0
854 stars 175 forks source link

Exitcodes? #82

Closed tp111 closed 2 years ago

tp111 commented 2 years ago

Are there any exit codes?

I'm trying to run the tool via SCCM package and save the log-file in a UNC path. Everything looks fine and the log-file gets created exept that I get an error, exitcode 6. Is that from the tool and if so, can I get the exit codes with description?

tp111 commented 2 years ago

Are there any exit codes?

I'm trying to run the tool via SCCM package and save the log-file in a UNC path. Everything looks fine and the log-file gets created exept that I get an error, exitcode 6. Is that from the tool and if so, can I get the exit codes with description?

If the code is from the tool I would like a possibillity to supress all exitcodes exept 0 or force exitcode to be 0.

MrPippin66 commented 2 years ago

Current exit codes in the scanner via the source are:

public static void main(String[] args) { try { Log4j2Scanner scanner = new Log4j2Scanner(); scanner.run(args); System.exit(scanner.vulnerableFileCount + scanner.potentiallyVulnerableFileCount); } catch (Throwable t) { System.out.println("Error: " + t.getMessage()); System.exit(-1); } }

So...essentially, if there are no unrecoverable errors, the exit code is the number of vulnerable and potentially vulnerable files.

If there is an unrecoverable error, it's -1.

There's no option to suppress this in the current code.

tp111 commented 2 years ago

Current exit codes in the scanner via the source are:

public static void main(String[] args) { try { Log4j2Scanner scanner = new Log4j2Scanner(); scanner.run(args); System.exit(scanner.vulnerableFileCount + scanner.potentiallyVulnerableFileCount); } catch (Throwable t) { System.out.println("Error: " + t.getMessage()); System.exit(-1); } }

So...essentially, if there are no unrecoverable errors, the exit code is the number of vulnerable and potentially vulnerable files.

If there is an unrecoverable error, it's -1.

There's no option to suppress this in the current code.

Thanks for the info. It would be great if there was a parameter to supress thoes exit codes.

tp111 commented 2 years ago

Current exit codes in the scanner via the source are: public static void main(String[] args) { try { Log4j2Scanner scanner = new Log4j2Scanner(); scanner.run(args); System.exit(scanner.vulnerableFileCount + scanner.potentiallyVulnerableFileCount); } catch (Throwable t) { System.out.println("Error: " + t.getMessage()); System.exit(-1); } } So...essentially, if there are no unrecoverable errors, the exit code is the number of vulnerable and potentially vulnerable files. If there is an unrecoverable error, it's -1. There's no option to suppress this in the current code.

Thanks for the info. It would be great if there was a parameter to supress thoes exit codes.

Just don't remove them totaly because they are very helpfull normaly. Even mot now when I know what thay mean :)

adammike commented 2 years ago

I think it could be useful if you did something like:

rc = -1: Houston, we have a problem rc = 0: Good scan, no vulns found rc = 1: Good scan, vulns found rc = 2: Good scan, but encountered unreadable file (permission denied, etc) errors

I don't think the RC needs the actual number of findings, if you're trying to get that programmatically you can awk the output, parse the CSV, or maybe we add a --json option that outputs structured data rather than plain text.

romestylez commented 2 years ago

@xeraph could we get this exit codes ?

Very often the cmd closes but when i check our automation log i see something like error 3 or other codes. I dont know if the scan was run over all files/folders.

Would be very great !

xeraph commented 2 years ago

It may break existing tools, so I need to add another option for new exit code.

I will add new option in the next release.

jlellis commented 2 years ago

You might also want to add rc=3 for vuln found AND permissions issues encountered. Right now rc=2 hides rc=1.

nedjitef commented 2 years ago

I already had to write a wrapper for our mkp packages, so check_mk cached plugin output isn't discard after execution. Yes, we use our own because of bakery support and we can't see, how to get the native executable small enough for exchange.checkmk.com

Please don't make it more complicated than necessary. It all should be fine for automation with #106

romestylez commented 2 years ago

I already had to write a wrapper for our mkp packages, so check_mk cached plugin output isn't discard after execution. Yes, we use our own because of bakery support and we can't see, how to get the native executable small enough for exchange.checkmk.com

Please don't make it more complicated than necessary. It all should be fine for automation with #106

When you cant be sure if the scan really scanned everything its not fine for automation.

nedjitef commented 2 years ago

There's a lot of cases you can't catch in this case. Please put that information into the output in another form.

adammike commented 2 years ago

In my opinion, If the scan ran but encountered permissions problems, that's all that matters. The scan can't be valid/trusted regardless of any other information.

The fact that it found stuff and ran into permissions problems is extraneous.

The four exit codes I spelled out were four paths that I need to explore with automation

1) The scanner is flat-out broken. 🚫 2) The scanner worked, and my box is clean. 👍 3) The scanner worked, and I have stuff to fix. 👎 4) The scanner worked, but can't access everything ⚠️

The difference between scenario 1 and scenario 4 is who gets the escalation. The security team (to fix the scanner) or the system owner (to run the scanner with appropriate permissions, for example).