mergebase / log4j-detector

A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC
Other
638 stars 98 forks source link

Can we have an option to exclude a path? #52

Closed donmontalvo closed 2 years ago

donmontalvo commented 2 years ago

Seems like /System/Volumes/Data is not needed?

Apologies for the blob, might bring it in to a text editor to see what I mean.

$ tail -f /Library/Application\ Support/Vanguard/SearchResults/log4j-detector/log4j-detector.txt -- github.com/mergebase/log4j-detector v2021.12.17 (by mergebase.com) analyzing paths (could take a while). -- Note: specify the '--verbose' flag to have every file examined printed to STDERR. /Applications/AWS Schema Conversion Tool.app/Contents/Java/packager_jar/AWSSchemaConversionTool.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/AWS Schema Conversion Tool.app/Contents/Java/packager_jar/AWSSchemaConversionToolBatch.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Tableau Desktop 2021.2.app/Contents/Resources/jdbcserver.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Tableau Desktop 2021.2.app/Contents/Resources/oauthservice.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Tableau Prep Builder 2021.2.app/Contents/lib/tableau-prep-cli.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Tableau Prep Builder 2021.2.app/Contents/Resources/app/loom-rest-api-1.0-SNAPSHOT.jar!/BOOT-INF/lib/log4j-core-2.13.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Tableau Prep Builder 2021.2.app/Contents/Resources/app/tableau-1.3/build/Release/jdbcserver.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Tableau Prep Builder 2021.2.app/Contents/Resources/app/tableau-1.3/build/Release/oauthservice.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Library/Application Support/JAMF/Composer/Sources/Xcode/ROOT/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/AWS Schema Conversion Tool.app/Contents/Java/packager_jar/AWSSchemaConversionTool.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/AWS Schema Conversion Tool.app/Contents/Java/packager_jar/AWSSchemaConversionToolBatch.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Tableau Desktop 2021.2.app/Contents/Resources/jdbcserver.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Tableau Desktop 2021.2.app/Contents/Resources/oauthservice.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Tableau Prep Builder 2021.2.app/Contents/lib/tableau-prep-cli.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Tableau Prep Builder 2021.2.app/Contents/Resources/app/loom-rest-api-1.0-SNAPSHOT.jar!/BOOT-INF/lib/log4j-core-2.13.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Tableau Prep Builder 2021.2.app/Contents/Resources/app/tableau-1.3/build/Release/jdbcserver.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Tableau Prep Builder 2021.2.app/Contents/Resources/app/tableau-1.3/build/Release/oauthservice.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Library/Application Support/JAMF/Composer/Sources/Xcode/ROOT/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE

bufemc commented 2 years ago

I'd like to support this truly great idea, as I also run in the problem that I would like to scan everything except one path (here: /mnt - leads to out of memory, and increasing the heap size does not help ATM).

zhurkin commented 2 years ago

I'd like to support this truly great idea, as I also run in the problem that I would like to scan everything except one path (here: /mnt - leads to out of memory, and increasing the heap size does not help ATM).

while there were options for launching via thefind find / -regextype posix-egrep -regex ".*\.(jar|war)$" ! -path "/data/*" ! -path "/mnt/*" -print -exec java -jar /usr/local/bin/log4j-detector-2021.12.14.jar {} \;

I myself would like to see this as an option.

beckerr-rzht commented 2 years ago

Using find ... -exec java ... means that a new java process must be started for each file. This is very inefficient. A better solution can be found here #43 and here #42.

juliusmusseau commented 2 years ago

New "--exclude=X" flag added in v2021.12.20.

(Note: X must be a valid JSON list. I know JSON can be a bit awkward to type on the terminal with all the backslashing, but I needed to be sure the supplied exclude paths could be extracted precisely, commas and spaces and all).

donmontalvo commented 2 years ago

blush