search

mergebase / log4j-detector

A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC
Other
638 stars 98 forks source link

Weird new File("blah") in nextByte #86

Open Kretikus opened 2 years ago

Kretikus commented 2 years ago

After 1 Minute of Code Review, I found this weird line.

Does nobody look at the code, before using it (with admin privilidges)?

rgmz commented 2 years ago

After 1 Minute of Code Review, I found this weird line.

Does nobody look at the code, before using it (with admin privilidges)?

I noticed that as well. It appears to be a harmless remnant of testing/debugging code that wasn't cleaned up. https://github.com/mergebase/log4j-detector/blob/8cb0604a2bcdcc29daf05a23ec4254112bece746/src/main/java/com/mergebase/log4j/Log4JDetector.java#L207-L214

There are other examples of code — for example, Strings.java — which seem 'strange', but make sense when you consider that this project was developed in a hurry and doesn't have any third-party dependencies.

Kretikus commented 2 years ago

There are several companies which use this tool to scan all computers of all employees. So my comment was not a critisism of the original authors, but more a call out to all the users of this software to make an own code review before using it! better would be a code contribution... , but I am not in charge of using this software on a corporate level.

tweimer commented 2 years ago

Actually, I made a pull request for that in #77 already.