Output fixing / adjustment #78
Comments
It should be possible. Can you share the regex you're using? |
|
Hello rgmz, thank you for your prompt answer and a happy new year! To get different status regarding (POTENTIALLY)_SAFE I use following regex:
It is working for the most use cases, but because of using But its important that scanner does not report any longer "SAFE" for log4j archives with removed JndiLookup.class, because of CVE-2021-45105 and CVE-2021-44832 which cant mitigated with removing JndiLookup.class. |
Current output for log4j 2.x findings without JndiLookup.class is:
_POTENTIALLY_SAFE_ (Did you remove JndiLookup.class?)_I think_POTENTIALLY_SAFE_is not correct any longer because log4j 2.x without JndiLookup.class is only_POTENTIALLY_OKAY_, because with removing JndiLookup.class you cant mitigate any CVE found after 2.15 version.Current (log4j-detector-2021.12.29.jar) output for findings regarding log4j-core-2.15.0.jar without JndiLookup.class:
_log4j-core-2.15.0.jar contains Log4J-2.x <= 2.0-beta8 _POTENTIALLY_SAFE_ (Did you remove JndiLookup.class?)_So its not correct any longer (since log4j 2.16 has been released).
There is another issue, its not really good to use status
_OKAY_and another status named_POTENTIALLY_OKAY_because these are two different status but you cant differ/extract (via regex) simply these two status.For automatic evaluations it would be better to have two completely different status like:
_OKAY_and_POTENTIALLYOKAY_or_POTENTIALLY-OKAY_We use log4j-detector engine with an ansible playbook (execution) => elasticsearch (result storage) => grafana (result visualization/reporting).
Thank you for providing such a professional scanner!
The text was updated successfully, but these errors were encountered: