SonamorN
commented
2 years ago @Takios
I believe the owner of the repo has updated the code to find log4j libraries outside of zip files but we need a definitive answer here.
Open Takios opened 2 years ago
SonamorN
commented
2 years ago @Takios
I believe the owner of the repo has updated the code to find log4j libraries outside of zip files but we need a definitive answer here.
stefan123t
commented
2 years ago I have no comparison with previous versions of lig4j-detector, but I found the Syft tool to be a lot quicker. Though I do not know for sure, whether that allows recursive inspection of JARs in JARs, etc.
Also the version given by log4j-detector is not the Implementation-Version: from the META-INF/MANIFEST.MF, but instead a class indication, e.g. >= 2.10.0 even though it is 2.11.0 in my case.
My timing comparison between syft and log4j-detector (2021.12.14) also hints at the x10 magnitude @Takios reported: syft 0m2,364s log4j-detector 0m59,995s
juliusmusseau
commented
2 years ago Thank for very much for this feedback! I just pushed a new version (just now) that should hopefully be much faster.
Main speed improvement: ignore files that don't end in .zip/.jar/.war/.ear/*.aar !
Bysoultear
commented
2 years ago Windows 10 21H2 scan C: completely
2021.12.13 -> 55min 2021.12.14 (newest) -> 3h 15min
juliusmusseau
commented
2 years ago Thanks for these timings - very helpful.
Takios
commented
2 years ago 2021.12.15 breezes through again, 35 seconds for the same server. Thank you very much for this tool!
Bysoultear
commented
2 years ago (same system again) 2021.12.16 -> after 3h 45min crasht at ~60%
Heya,
a scan with 2021.12.13 on a basic openSUSE Leap 15.2 install that has, to my knowledge, no Java applications running takes about 45 seconds whereas with 2021.12.14 it wasn't even finished after 45 minutes. Looking at the verbose output, it takes a very long time to decide to ignore a file that is not a zip.
Greetings Takios