Added product and cve columns to report. v2.3.6

xeraph · xeraph · commit 80a49a193a47 · 2021-12-20T03:08:49.000+09:00
diff --git a/README.md b/README.md
@@ -3,16 +3,16 @@
 log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-4104 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.
 
 ### Download
-* [log4j2-scan 2.3.5 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.5/logpresso-log4j2-scan-2.3.5-win64.7z)
-* [log4j2-scan 2.3.5 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.5/logpresso-log4j2-scan-2.3.5-win64.zip)
+* [log4j2-scan 2.3.6 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.6/logpresso-log4j2-scan-2.3.6-win64.7z)
+* [log4j2-scan 2.3.6 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.6/logpresso-log4j2-scan-2.3.6-win64.zip)
   * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.  
   * 7zip is available from www.7zip.org, and is open source and free.
-* [log4j2-scan 2.3.5 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.5/logpresso-log4j2-scan-2.3.5-linux.tar.gz)
-* [log4j2-scan 2.3.5 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.5/logpresso-log4j2-scan-2.3.5-linux-aarch64.tar.gz)
+* [log4j2-scan 2.3.6 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.6/logpresso-log4j2-scan-2.3.6-linux.tar.gz)
+* [log4j2-scan 2.3.6 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.6/logpresso-log4j2-scan-2.3.6-linux-aarch64.tar.gz)
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 2.3.5 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.5/logpresso-log4j2-scan-2.3.5-darwin.tar.gz)
-* [log4j2-scan 2.3.5 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.5/logpresso-log4j2-scan-2.3.5.jar)
+* [log4j2-scan 2.3.6 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.6/logpresso-log4j2-scan-2.3.6-darwin.tar.gz)
+* [log4j2-scan 2.3.6 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.6/logpresso-log4j2-scan-2.3.6.jar)
 
 ### Build
 * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
@@ -22,7 +22,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress
 
 Usage
 ```
-Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.5 (2021-12-20)
+Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.6 (2021-12-20)
 Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
 
 -f [config_file_path]
@@ -85,7 +85,7 @@ On Linux
 ```
 On UNIX (AIX, Solaris, and so on)
 ```
-java -jar logpresso-log4j2-scan-2.3.5.jar [--fix] target_path
+java -jar logpresso-log4j2-scan-2.3.6.jar [--fix] target_path
 ```
 
 If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. Depending the Operating System:
diff --git a/pom.xml b/pom.xml
@@ -6,7 +6,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.logpresso</groupId>
 	<artifactId>log4j2-scanner</artifactId>
-	<version>2.3.5</version>
+	<version>2.3.6</version>
 	<packaging>jar</packaging>
 	<name>Logpresso Log4j2 Scanner</name>
 
diff --git a/src/main/java/com/logpresso/scanner/Detector.java b/src/main/java/com/logpresso/scanner/Detector.java
@@ -25,7 +25,8 @@
 import com.logpresso.scanner.utils.ZipUtils;
 
 public class Detector {
-	private static final String POTENTIALLY_VULNERABLE = "N/A - potentially vulnerable";
+	private static final String POTENTIALLY_VULNERABLE = "N/A";
+
 	private static final String JNDI_LOOKUP_CLASS_PATH = "org/apache/logging/log4j/core/lookup/JndiLookup.class";
 	private static final String JNDI_LOOKUP_CLASS_SHADE_PATH = "/log4j/core/lookup/JndiLookup.class";
 	private static final String LOG4J_CORE_POM_PROPS = "META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties";
@@ -370,7 +371,7 @@ else if (version.startsWith("2.16.") || version.equals("2.12.2"))
 			msg += " (mitigated)";
 
 		System.out.println(msg);
-		addReport(jarFile, pathChain, version, mitigated, potential);
+		addReport(jarFile, pathChain, "Log4j 2", version, cve, mitigated, potential);
 	}
 
 	private void printDetectionForLog4j1(File jarFile, List<String> pathChain, String version, boolean mitigated) {
@@ -384,7 +385,7 @@ private void printDetectionForLog4j1(File jarFile, List<String> pathChain, Strin
 
 		System.out.println(msg);
 
-		addReport(jarFile, pathChain, version, false, true);
+		addReport(jarFile, pathChain, "Log4j 1", version, "CVE-2021-4104", false, true);
 	}
 
 	private void printDetectionForLogback(File jarFile, List<String> pathChain, String version, boolean mitigated) {
@@ -398,10 +399,11 @@ private void printDetectionForLogback(File jarFile, List<String> pathChain, Stri
 
 		System.out.println(msg);
 
-		addReport(jarFile, pathChain, version, false, true);
+		addReport(jarFile, pathChain, "Logback", version, "CVE-2021-42550", false, true);
 	}
 
-	private void addReport(File jarFile, List<String> pathChain, String version, boolean mitigated, boolean potential) {
+	private void addReport(File jarFile, List<String> pathChain, String product, String version, String cve, boolean mitigated,
+			boolean potential) {
 		List<ReportEntry> entries = fileReports.get(jarFile);
 		if (entries == null) {
 			entries = new ArrayList<ReportEntry>();
@@ -414,7 +416,7 @@ private void addReport(File jarFile, List<String> pathChain, String version, boo
 		else if (potential)
 			status = Status.POTENTIALLY_VULNERABLE;
 
-		ReportEntry entry = new ReportEntry(jarFile, StringUtils.toString(pathChain), version, status);
+		ReportEntry entry = new ReportEntry(jarFile, StringUtils.toString(pathChain), product, version, cve, status);
 		entries.add(entry);
 	}
 }
diff --git a/src/main/java/com/logpresso/scanner/Log4j2Scanner.java b/src/main/java/com/logpresso/scanner/Log4j2Scanner.java
@@ -15,7 +15,7 @@
 import com.logpresso.scanner.utils.ZipUtils;
 
 public class Log4j2Scanner {
-	private static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.5 (2021-12-20)";
+	private static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.6 (2021-12-20)";
 
 	private static final boolean isWindows = File.separatorChar == '\\';
 
diff --git a/src/main/java/com/logpresso/scanner/ReportEntry.java b/src/main/java/com/logpresso/scanner/ReportEntry.java
@@ -7,15 +7,19 @@
 public class ReportEntry {
 	private File path;
 	private String entry;
+	private String product;
 	private String version;
+	private String cve;
 	private Status status;
 	private boolean fixed;
 	private Date reportTime = new Date();
 
-	public ReportEntry(File path, String entry, String version, Status status) {
+	public ReportEntry(File path, String entry, String product, String version, String cve, Status status) {
 		this.path = path;
 		this.entry = entry;
+		this.product = product;
 		this.version = version;
+		this.cve = cve;
 		this.status = status;
 	}
 
@@ -27,10 +31,22 @@ public String getEntry() {
 		return entry;
 	}
 
+	public String getProduct() {
+		return product;
+	}
+
+	public void setProduct(String product) {
+		this.product = product;
+	}
+
 	public String getVersion() {
 		return version;
 	}
 
+	public String getCve() {
+		return cve;
+	}
+
 	public Status getStatus() {
 		return status;
 	}
@@ -49,7 +65,7 @@ public Date getReportTime() {
 
 	public String getCsvLine() {
 		SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
-		return String.format("\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"%n", path.getAbsolutePath(), entry, version, status,
-				fixed ? "FIXED" : "", df.format(reportTime));
+		return String.format("\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"%n", path.getAbsolutePath(), entry, product,
+				version, cve, status, fixed ? "FIXED" : "", df.format(reportTime));
 	}
 }
diff --git a/src/main/java/com/logpresso/scanner/ReportGenerator.java b/src/main/java/com/logpresso/scanner/ReportGenerator.java
@@ -59,7 +59,7 @@ private static File generateReportFileName(Configuration config) {
 
 	private static void writeCsvReport(Configuration config, Map<File, List<ReportEntry>> fileReports, FileOutputStream csvStream)
 			throws IOException, UnsupportedEncodingException {
-		String header = String.format("Hostname,Path,Entry,Version,Status,Fixed,Detected at%n");
+		String header = String.format("Hostname,Path,Entry,Product,Version,CVE,Status,Fixed,Detected at%n");
 		csvStream.write(header.getBytes("utf-8"));
 
 		String hostname = getHostname(config.isDebug());
