Justification for patterns

mergebase / log4j-detector

A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC

Other

638 stars 98 forks source link

Justification for patterns #18

Closed dminuoso closed 2 years ago

dminuoso commented 2 years ago

Hi.

I was wondering, is there a particular reason you look for say core/LogEvent.class rather than log4j/com/LogEvent.class?

https://github.com/mergebase/log4j-detector/blob/master/src/main/java/com/mergebase/log4j/Log4JDetector.java#L21-L26

juliusmusseau commented 2 years ago

The log4j-core artifact typically contains LogEvent.class inside a "core" sub-directory.

Try downloading log4j-core-2.16.0.jar for yourself to see. Rename it to *.zip and then explore its contents. You should see a "LogEvent.class" file inside there inside the ".\org\apache\logging\log4j\core" sub-directories.