Documented --csv-log-path option.

logpresso · Jan 2, 2022 · 6f3e37d · 6f3e37d
1 parent 5ba8f96
commit 6f3e37d
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -3,16 +3,16 @@
 log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-44832 (log4j 2.17.0), CVE-2021-4104 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.
 
 ### Download
-* [log4j2-scan 2.6.5 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.5/logpresso-log4j2-scan-2.6.5-win64.7z)
-* [log4j2-scan 2.6.5 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.5/logpresso-log4j2-scan-2.6.5-win64.zip)
+* [log4j2-scan 2.7.0 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.0/logpresso-log4j2-scan-2.7.0-win64.7z)
+* [log4j2-scan 2.7.0 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.0/logpresso-log4j2-scan-2.7.0-win64.zip)
   * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.  
   * 7zip is available from www.7zip.org, and is open source and free.
-* [log4j2-scan 2.6.5 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.5/logpresso-log4j2-scan-2.6.5-linux.tar.gz)
-* [log4j2-scan 2.6.5 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.5/logpresso-log4j2-scan-2.6.5-linux-aarch64.tar.gz)
+* [log4j2-scan 2.7.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.0/logpresso-log4j2-scan-2.7.0-linux.tar.gz)
+* [log4j2-scan 2.7.0 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.0/logpresso-log4j2-scan-2.7.0-linux-aarch64.tar.gz)
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 2.6.5 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.5/logpresso-log4j2-scan-2.6.5-darwin.zip)
-* [log4j2-scan 2.6.5 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.5/logpresso-log4j2-scan-2.6.5.jar)
+* [log4j2-scan 2.7.0 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.0/logpresso-log4j2-scan-2.7.0-darwin.zip)
+* [log4j2-scan 2.7.0 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.0/logpresso-log4j2-scan-2.7.0.jar)
 
 ### Build
 * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
@@ -22,7 +22,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress
 
 Usage
 ```
-Logpresso CVE-2021-44228 Vulnerability Scanner 2.6.5 (2021-12-29)
+Logpresso CVE-2021-44228 Vulnerability Scanner 2.7.0 (2022-01-02)
 Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
 
 -f [config_file_path]
@@ -55,13 +55,15 @@ Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
 --no-symlink
         Do not detect symlink as vulnerable file.
 --exclude [path_prefix]
-        Full paths of directories whose absolute path starts with the specified value will be excluded.
+        Path prefixes of directories whose absolute path starts with the specified value will be excluded.
         Does not support relative paths. You can specify multiple --exclude [path_prefix] pairs
 --exclude-config [config_file_path]
-        Specify exclude path list in text file. Paths should be separated by new line. Prepend # for comment.
+        Specify exclude path prefix list in text file. Paths should be separated by new line. Prepend # for comment.
 --exclude-pattern [pattern]
         Exclude specified paths of directories by pattern. Supports fragments.
         You can specify multiple --exclude-pattern [pattern] pairs (non regex)
+--exclude-file-config [config_file_path]
+        Specify exclude file path list in text file. Paths should be separated by new line. Prepend # for comment.
 --exclude-fs nfs,tmpfs
         Exclude paths by file system type. nfs, nfs3, nfs4, afs, cifs, autofs,  tmpfs, devtmpfs, fuse.sshfs and iso9660 is ignored by default.
 --syslog-udp [host:port]
@@ -72,6 +74,10 @@ Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
         Specify alert for vulnerable and potentially vulnerable reports.
         Specify info for vulnerable, potentially vulnerable, and mitigated reports.
         Specify debug for vulnerable, potentially vulnerable, mitigated, and error reports.
+--syslog-facility [code]
+        Default value is 16 (LOCAL0). Facility value must be in the range of 0 to 23 inclusive.
+--rfc5424
+        Follow RFC5424 The Syslog Protocol strictly.
 --report-csv
         Generate log4j2_scan_report_yyyyMMdd_HHmmss.csv in working directory if not specified otherwise via --report-path [path]
 --report-json
@@ -82,6 +88,10 @@ Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
         Specify report output directory. Implies --report-csv.
 --no-empty-report
         Do not generate empty report.
+--csv-log-path
+        Specify csv log file path. If log file exists, log will be appended.
+--json-log-path
+        Specify json log file path. If log file exists, log will be appended.
 --old-exit-code
         Return sum of vulnerable and potentially vulnerable files as exit code.
 --debug
@@ -104,7 +114,7 @@ On Linux
 ```
 On UNIX (AIX, Solaris, and so on)
 ```
-java -jar logpresso-log4j2-scan-2.6.5.jar [--fix] target_path
+java -jar logpresso-log4j2-scan-2.7.0.jar [--fix] target_path
 ```
 
 If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. All .bak files are archived into the single zip file which is named by `log4j2_scan_backup_yyyyMMdd_HHmmss.zip`, then deleted safely. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. You can easily restore original vulnerable JAR files using `--restore` option.

diff --git a/src/main/java/com/logpresso/scanner/Configuration.java b/src/main/java/com/logpresso/scanner/Configuration.java
@@ -132,6 +132,8 @@ public static void pringUsage() {
 		System.out.println("\tSpecify report output directory. Implies --report-csv.");
 		System.out.println("--no-empty-report");
 		System.out.println("\tDo not generate empty report.");
+		System.out.println("--csv-log-path");
+		System.out.println("\tSpecify csv log file path. If log file exists, log will be appended.");
 		System.out.println("--json-log-path");
 		System.out.println("\tSpecify json log file path. If log file exists, log will be appended.");
 		System.out.println("--old-exit-code");