Additional output of secure log4j Versions

[OrbbQ3]

Hi,

the current implementation does not output secure log4j versions (for example 2.17.1) to the output files (for example csv) and to the console. After investigation in the code, it seems, there are these code fragments in file Detector.java, that prevent this:

...
if (isVulnerableLog4j2(Version.parse(log4j2Version))) {
					printDetectionForLog4j2(jarFile, pathChain, log4j2Version, log4j2Mitigated, false);

...
vulnerable = isVulnerableLog4j1(Version.parse(log4j1Version));
					if (vulnerable)
						printDetectionForLog4j1(jarFile, pathChain, log4j1Version, log4j1Mitigated);
...

Is it possible to ouput this versions as not vulnerable too (for example with a additional command line switch)?

Background:
Output of not vulnerable versions is needed for build up a history in splunk.

Thank you

[xeraph]

@OrbbQ3 Would you test v3.0.1 release? You can use --report-patch option.

[OrbbQ3]

@ChKemper and @xeraph: first thank you for the implementation. I will test it tomorrow in my test environment and give you the result.

[OrbbQ3]

I tested the new version and get following result:

• Safe versions are reported to the console
• but not to the output files (here csv)

Scanner was startet with following arguments:
log4j2-scan.exe --scan-log4j1 --scan-logback --report-patch --scan-zip --all-drives --silent --csv-log-path "C:\log4j.csv"

For example put the file log4j-core-2.17.1.jar from https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip to C:\ and you get the described behaviour.

Can you please take a look into this again?

Thank you

[thl-cmk]

@xeraph I Like this option. It would be nice to have also an additional summary line like Found 3 safe files, and yes if this information will show up in all the reports/logs this would be perfect :-)

OMD[build]:~$ local/share/check_mk/agents/plugins/log4j2-scan.linux --report-patch --scan-zip /home/thl/apache-log4j-2.17.1-bin.zip 
Logpresso CVE-2021-44228 Vulnerability Scanner 3.0.1 (2022-02-13)
Scanning directory by user 'build': /home/thl/apache-log4j-2.17.1-bin.zip (without /dev, /run, /dev/shm, /run/lock, /sys/fs/cgroup, /proc/sys/fs/binfmt_misc, /opt/omd/sites/build/tmp, /run/user/999, /run/user/1000)
[-] Found safe log4j 2.17.1 version in /home/thl/apache-log4j-2.17.1-bin.zip (apache-log4j-2.17.1-bin/log4j-core-2.17.1.jar)
[-] Found safe log4j 2.17.1 version in /home/thl/apache-log4j-2.17.1-bin.zip (apache-log4j-2.17.1-bin/log4j-core-2.17.1-sources.jar)
[-] Found safe log4j 2.17.1 version in /home/thl/apache-log4j-2.17.1-bin.zip (apache-log4j-2.17.1-bin/log4j-core-2.17.1-tests.jar)

Scanned 0 directories and 1 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
**Found 3 safe files**
Completed in 0.72 seconds

[ChKemper]

Hi @OrbbQ3,

I tested with the files provided at src/test/resources. The patched versions are also shown in the JSON

{ "path": "/.../src/test/resources/log4j2-ok/log4j-core-2.17.1.jar", "status": "NOT_VULNERABLE", "reports": [ { "entry": "", "product": "Log4j 2", "version": "2.17.1", "cve": null, "status": "NOT_VULNERABLE", "fixed": false, "detected_at": "2022-02-14 11:52:21+0100" } ] },

and CSV:
"<hostname>","/.../src/test/resources/log4j2-ok/log4j-core-2.17.1.jar","","Log4j 2","2.17.1","null","NOT_VULNERABLE","","2022-02-14 11:55:03"

I tested with parameters --scan-zip --report-csv --report-json --report-patch src/test/resources
It seems that the reports are not written if you specify a --csv-log-path...

[OrbbQ3]

Hi @ChKemper,

yes, you have right, it works with following call:
log4j2-scan.exe --scan-log4j1 --scan-logback --report-patch --scan-zip --all-drives --silent --report-csv --report-path "C:\log4j.csv"

The only thing, that i have to comment is, that the cve number in report is null. In my opinion this should be an empty string.

The run with the argument --csv-log-path does not work, because this output is done with the methods

• printDetectionForLog4j2()
• printDetectionForLog4j1()
  If this should be work too, methods printSafeLog4j2() and printSafeLog4j1() should be merged in the above corresponding methods.

@xeraph: In my opinion, working of this commandline switches should be synced or the switches --csv-log-path (and --json-log-path) should be marked as obsolete.

Thank you

[ChKemper]

Hi @OrbbQ3,

I've done a short fix for this: #278