search

mergebase / log4j-detector

A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC
Other
638 stars 98 forks source link

version 2021.12.20 not redirecting output anymore (in Windows) #65

Open Haeckli opened 2 years ago

Haeckli commented 2 years ago

It seems like the latest version (2021.12.20) does not redirect the output anmore. Instead all output goes to the screen and the output file has 0 bytes length.... Did I miss anything? (it works as expected in vers: 2021.12.17)

See sample screen output below:

C:\log4j>java -jar log4j-detector-2021.12.20.jar c:\log4j\Test > test.txt -- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while). -- Note: specify the '--verbose' flag to have every file examined printed to STDERR. -- No vulnerable Log4J 2.x samples found in supplied paths: [c:\log4j\Test] -- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 or CVE-2021-45046 ! :-)

C:\log4j>dir 21.12.2021 15:12

. 21.12.2021 15:12 .. 20.12.2021 12:11 59.642 log4j-detector-2021.12.20.jar 21.12.2021 15:04 Test 21.12.2021 15:12 0 test.txt 6 Datei(en), 113.731 Bytes <<<<<<<

juliusmusseau commented 2 years ago

Yes, the tool now prints zero bytes to STDOUT if no bad log4j versions are found. And exits with exit-code zero (success).

You can use "--json" mode if you'd like to see output in this "no vulns found" case:

$ java -jar log4j-detector-2021.12.20.jar --json /tmp > hits.json

$ cat hits.json
{"hits":[
{"_THE_END_":true}]}