A tool that scans archives to check for vulnerable log4j versions
| Type | Description | Link |
|---|---|---|
| Improvement | Support disabling deletion of certain CVEs--disable-cve-2021-45105-detection and --disable-cve-2021-44832-detection flags have been added to the delete command to allow for deleting only findings that map to certain CVEs. Some vulnerable files will contain multiple CVEs and so it is advised that the desired combination of --disable-cve-* flags be found by running with --dry-run=true (which is the default value) first. |
https://github.com/palantir/log4j-sniffer/pull/100 |
| Improvement | Some optimisations have been made which should reduce the resource overhead required when inspecting zip files, such as .jars, .wars, .pars, etc. | https://github.com/palantir/log4j-sniffer/pull/94 |
| Fix | A small bug has been fixed where only the directory of a filepath would be passed for pattern matching rather than the whole file when using --filepath-owner. |
https://github.com/palantir/log4j-sniffer/pull/97 |
| Feature | Inspecting large nested archives without a large memory impact can now be enabled by setting --nested-archive-disk-swap-max-size to a positive non-zero value.When a nested zip file is encountered that is above the --nested-archive-max-size, space will be used on disk to write out the archive temporarily to be able to inspected. The location that temporary files are written to can be configured using --nested-archive-disk-swap-dir, which is set to /tmp by default. |
https://github.com/palantir/log4j-sniffer/pull/98 |
| Type | Description | Link |
|---|---|---|
| Feature | A subcommand, log4j-sniffer delete, has been added that crawls the filesystem for vulnerable log4j versions and can delete them based on some configuration supplied by flags.The flags for tuning configure figure deletion based on file ownership (on unix-like systems) and type of findings found within a file. Please run log4j-sniffer delete -h for detailed documentation. |
https://github.com/palantir/log4j-sniffer/pull/93 |
| Type | Description | Link |
|---|---|---|
| Improvement | When not using --file-path-only, the following output behaviour has been modified.Each finding is now reported individually, rather than reporting an aggregation of all findings with only the top-level file on disk. For example, a vulnerable jar nested inside an archive will now be reported with the vulnerability findings, rather than reporting on the archive with an aggregation of all findings from within it. Multiple vulnerable jars found within an archive will be reported separately. The path reported with a vulnerability finding is the full path to a finding with archive layers delimited by a "!". i.e. /path/to/archive!path/to/finding.jar shows that an archive at /path/to/archive contained a vulnerable jar at path/to/finding.jar within it. When using --json mode, the path on disk is still reportedas the filePath field. An extra detailedPath field has beenadded, containing the full path the the vulnerable content, which may be nested in any number of archives. |
https://github.com/palantir/log4j-sniffer/pull/81 |
| Improvement | Use a bounded amount of memory per directory, regardless of how many entries it contains | https://github.com/palantir/log4j-sniffer/pull/88 |
| Type | Description | Link |
|---|---|---|
| Improvement | Evalaute obfuscation for each class individually rather than averaging a whole jar | https://github.com/palantir/log4j-sniffer/pull/83 |
| Improvement | The zip walking logic that previously used the standard package has been replaced with a memory optimised version implemented specifically for goals of this product. Previously the memory usage used for indexing the entries within a zip would be proportional to the number of files contained within the it. As of this release, there will be no index created and so this memory overhead has been removed. |
https://github.com/palantir/log4j-sniffer/pull/87 |
| Type | Description | Link |
|---|---|---|
| Improvement | Any file called JndiManager, regardless of extension, will be checked for hash matches against known versions | https://github.com/palantir/log4j-sniffer/pull/80 |
| Improvement | Optionally trace log path when crawling using the --enable-trace-logging flag. |
https://github.com/palantir/log4j-sniffer/pull/82 |
| Type | Description | Link |
|---|---|---|
| Fix | Correctly use exact match signatures in partial matching to avoid false positives based on not enough bytecode being matched. | https://github.com/palantir/log4j-sniffer/pull/74 |
| Improvement | A flag has been added to choose the behaviour of file opening used when opening archives on disk. The flag, --archive-open-mode, has supported values of "standard" and "directio", defaulting to "standard" when no value is supplied.Standard open mode will open files and read their content in the same way as before this PR, where the filesystem cache may be used. This has caused issues on some hosts, where the use of log4j-sniffer has resulted in many filesystem cache evictions during use. Direct i/o mode will use the O_DIRECT flag when opening archives on disk on linux systems, using similar primitives on other operating systems that allow for reading of the files to skip the cache. Closes: https://github.com/palantir/log4j-sniffer/issues/77 |
https://github.com/palantir/log4j-sniffer/pull/78 |
| Type | Description | Link |
|---|---|---|
| Fix | A small logging bug has been fixed where for nested archives, an error log line would be emitted for all results, regardless of whether there was an error or not. | https://github.com/palantir/log4j-sniffer/pull/62 |
| Fix | Do not exit with an error if maximum archive size exceeded | https://github.com/palantir/log4j-sniffer/pull/64 |
| Improvement | Print summary of skipped paths due to config | https://github.com/palantir/log4j-sniffer/pull/65 |
| Improvement | Build binaries for scanning Linux-arm64 | https://github.com/palantir/log4j-sniffer/pull/66 |
| Type | Description | Link |
|---|---|---|
| Feature | Adds "--file-path-only" flag that prints only paths of files with CVEs Fixes #55 |
https://github.com/palantir/log4j-sniffer/pull/57 |
| Fix | Fix "--disable-flagging-jndi-lookup" flag such that specifying the flag properly ignores files that were flagged only because of the presence of the JndiLookup class. | https://github.com/palantir/log4j-sniffer/pull/58 |
| Improvement | Add "--disable-unknown-versions" flag Adds flag for "crawl" operation that does not output any CVEs for which the version cannot be determined. |
https://github.com/palantir/log4j-sniffer/pull/59 |
| Type | Description | Link |
|---|---|---|
| Feature | Add support for new versions introduced to address CVE-2021-44832 and report all relevant CVEs across the full version range supported. | https://github.com/palantir/log4j-sniffer/pull/54 |
| Type | Description | Link |
|---|---|---|
| Feature | Recursing into zip files is now supported up to a configurable depth, --nested-archive-max-depth. By default this is set to 0, which means an archive on disk will have its contents inspected but an archive within it would not be unarchived for inspection.Nested archives will only be inspected if they are below a configurable size, --nested-archive-max-depth.To control memory usage for unarchiving, a combination of --nested-archive-max-depth and --nested-archive-max-depth should be used. This will only control the memory usage on top of the base memory usage of log4j-sniffer. |
https://github.com/palantir/log4j-sniffer/pull/24 |
| Improvement | We now only look for class files in zips such as zip, jar, ear, war. | https://github.com/palantir/log4j-sniffer/pull/31 |
| Feature | Add a compare command to find bytecode common to two classes. | https://github.com/palantir/log4j-sniffer/pull/32 |
| Feature | Compares classes found that appear to be obfuscated, or are named JndiManager, against bytecode snippets from known versions. | https://github.com/palantir/log4j-sniffer/pull/36 |
| Feature | Adds support for uncompressed and bzip2 tar archives. Adds the extension checking function for the different archive formats. | https://github.com/palantir/log4j-sniffer/pull/43 |
| Feature | Add configurable rate limiting for directories and archives. | https://github.com/palantir/log4j-sniffer/pull/44 |
| Improvement | Adds reporting of additional information about matches: presence of JdniLookup and whether jars were obfuscated | https://github.com/palantir/log4j-sniffer/pull/45 |
| Improvement | By default print detailed match information as each file is scanned | https://github.com/palantir/log4j-sniffer/pull/46 |
| Feature | Support nested archive recursion across all supported archive types. | https://github.com/palantir/log4j-sniffer/pull/47 |