Skip to content

Commit

Permalink
Fixes #273 (#274)
Browse files Browse the repository at this point in the history
Printed versions of secure versions

"Copyright © 2021 Atruvia AG <opensource@atruvia.de>"
  • Loading branch information
ChKemper authored Feb 13, 2022
1 parent 9150b4f commit a4bb968
Show file tree
Hide file tree
Showing 3 changed files with 61 additions and 14 deletions.
14 changes: 12 additions & 2 deletions src/main/java/com/logpresso/scanner/Configuration.java
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ public class Configuration {
private boolean scanForLogback = false;
private boolean noEmptyReport = false;
private boolean oldExitCode = false;
private boolean reportSecureVersions;
private Charset zipCharset = null;

private String apiKey = null;
Expand Down Expand Up @@ -147,6 +148,8 @@ public static void pringUsage() {
System.out.println("\tSpecify csv log file path. If log file exists, log will be appended.");
System.out.println("--json-log-path");
System.out.println("\tSpecify json log file path. If log file exists, log will be appended.");
System.out.println("--reportSecureVersions");
System.out.println("\tReport also secure version in System.out and in report files.");
System.out.println("--old-exit-code");
System.out.println("\tReturn sum of vulnerable and potentially vulnerable files as exit code.");
System.out.println("--debug");
Expand Down Expand Up @@ -367,7 +370,10 @@ else if (!reportFile.isDirectory())
verifyArgument(args, i, "JSON Log path", "Specify JSON log output path.");
c.jsonLogPath = new File(args[i + 1]);
i++;
} else if (args[i].equals("--old-exit-code")) {
} else if(args[i].equals("--reportSecureVersions")) {
c.reportSecureVersions = true;
}
else if (args[i].equals("--old-exit-code")) {
c.oldExitCode = true;
} else if (args[i].equals("--api-key")) {
verifyArgument(args, i, "API key", "Specify API key of https://watch.logpresso.com.");
Expand Down Expand Up @@ -703,7 +709,11 @@ public boolean isOldExitCode() {
return oldExitCode;
}

public String getApiKey() {
public boolean isReportSecureVersions() {
return reportSecureVersions;
}

public String getApiKey() {
return apiKey;
}

Expand Down
57 changes: 45 additions & 12 deletions src/main/java/com/logpresso/scanner/Detector.java
Original file line number Diff line number Diff line change
Expand Up @@ -345,6 +345,9 @@ private DetectResult scanStream(File jarFile, ZipFileIterator it, List<String> p
else
result.setVulnerable();
}
else {
printSafeLog4j2(jarFile, pathChain, log4j2Version);
}
} else if (!log4j2Mitigated) {
printDetectionForLog4j2(jarFile, pathChain, POTENTIALLY_VULNERABLE, false, true);
result.setPotentiallyVulnerableLog4j2();
Expand All @@ -362,8 +365,12 @@ private DetectResult scanStream(File jarFile, ZipFileIterator it, List<String> p
boolean vulnerable = true;
if (log4j1Version != null) {
vulnerable = isVulnerableLog4j1(Version.parse(log4j1Version));
if (vulnerable)
if (vulnerable) {
printDetectionForLog4j1(jarFile, pathChain, log4j1Version, log4j1Mitigated);
}
else {
printSafeLog4j1(jarFile, pathChain, log4j1Version);
}
} else {
printDetectionForLog4j1(jarFile, pathChain, POTENTIALLY_VULNERABLE, log4j1Mitigated);
}
Expand All @@ -376,10 +383,10 @@ private DetectResult scanStream(File jarFile, ZipFileIterator it, List<String> p
}
}

boolean logbackFound = isVulnerableLogback(logbackVersion, foundJndiUtil, foundEnvUtil);
boolean vulnerableLogbackFound = isVulnerableLogback(logbackVersion, foundJndiUtil, foundEnvUtil);
boolean logbackMitigated = !foundJndiUtil;

if (logbackFound) {
if (vulnerableLogbackFound) {
if (logbackVersion != null) {
printDetectionForLogback(jarFile, pathChain, logbackVersion, logbackMitigated);
} else {
Expand Down Expand Up @@ -508,9 +515,7 @@ private boolean isVulnerableLogback(Version v) {

private void printDetectionForLog4j2(File jarFile, List<String> pathChain, String version, boolean mitigated,
boolean potential) {
String path = jarFile.getAbsolutePath();
if (pathChain != null && !pathChain.isEmpty())
path += " (" + StringUtils.toString(pathChain) + ")";
String path = getPath(jarFile, pathChain);

String msg = potential ? "[?]" : "[*]";

Expand Down Expand Up @@ -539,9 +544,7 @@ else if ((v.getMinor() == 17 && v.getPatch() == 0) || (v.getMinor() == 12 && v.g
}

private void printDetectionForLog4j1(File jarFile, List<String> pathChain, String version, boolean mitigated) {
String path = jarFile.getAbsolutePath();
if (pathChain != null && !pathChain.isEmpty())
path += " (" + StringUtils.toString(pathChain) + ")";
String path = getPath(jarFile, pathChain);

Version v = null;
if (!version.equals("N/A"))
Expand All @@ -567,9 +570,7 @@ else if (v.getPatch() == 18 && v.getPatch2() == 2)
}

private void printDetectionForLogback(File jarFile, List<String> pathChain, String version, boolean mitigated) {
String path = jarFile.getAbsolutePath();
if (pathChain != null && !pathChain.isEmpty())
path += " (" + StringUtils.toString(pathChain) + ")";
String path = getPath(jarFile, pathChain);

String msg = "[?] Found CVE-2021-42550 (logback 1.2.7) vulnerability in " + path + ", logback " + version;
if (mitigated)
Expand All @@ -580,6 +581,29 @@ private void printDetectionForLogback(File jarFile, List<String> pathChain, Stri
addReport(jarFile, pathChain, "Logback", version, "CVE-2021-42550", mitigated, true);
}

private void printSafeLog4j1(File jarFile, List<String> pathChain, String version) {
if(config.isReportSecureVersions()) {
String path = getPath(jarFile, pathChain);
System.out.println("[-] Found safe version of 'Log4j 1' in " + path);
addSafeReport(jarFile, pathChain, "Log4j 1", version);
}
}

private void printSafeLog4j2(File jarFile, List<String> pathChain, String version) {
if(config.isReportSecureVersions()) {
String path = getPath(jarFile, pathChain);
System.out.println("[-] Found safe version of 'Log4j 2' in " + path);
addSafeReport(jarFile, pathChain, "Log4j 2", version);
}
}

private String getPath(File jarFile, List<String> pathChain) {
String path = jarFile.getAbsolutePath();
if (pathChain != null && !pathChain.isEmpty())
path += " (" + StringUtils.toString(pathChain) + ")";
return path;
}

public void addErrorReport(File jarFile, String error) {
errorCount++;

Expand Down Expand Up @@ -635,4 +659,13 @@ private void reportError(File jarFile, String msg) {
addErrorReport(jarFile, msg);
}

private void addSafeReport(File jarFile, List<String> pathChain, String product, String version) {
List<ReportEntry> entries = fileReports.get(jarFile);
if (entries == null) {
entries = new ArrayList<ReportEntry>();
fileReports.put(jarFile, entries);
}
ReportEntry entry = new ReportEntry(jarFile, StringUtils.toString(pathChain), product, version);
entries.add(entry);
}
}
4 changes: 4 additions & 0 deletions src/main/java/com/logpresso/scanner/ReportEntry.java
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ public ReportEntry(File path, String error) {
this.error = error;
}

public ReportEntry(File path, String entry, String product, String version) {
this(path, entry, product, version, null, Status.NOT_VULNERABLE);
}

public ReportEntry(File path, String entry, String product, String version, String cve, Status status) {
this.path = path;
this.entry = entry;
Expand Down

0 comments on commit a4bb968

Please sign in to comment.