LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
The LunaTrace CLI can collect SBOMs of files, directories, containers, and remote repositories. Once collected, the SBOM can be reported to LunaTrace for automated scanning for vulnerabilities.
This release adds the log4shell cloud-scan command. This command will automatically notify you about future vulnerabilities in your code by uploading a list of dependencies used by your project.
We're planning to build more functionality like an Open Source Web dashboard, and that will be released under the name "LunaTrace" soon. If you're interested in chatting with us about that, please send us a message. Feedback is incredibly helpful for us as we build this tooling!
29f889c3 Adding blog post talking about new CVEs and security team response (#390) 57d35256 Blog post - Working backwards from log4shell to see why we built lunasec (#388) 8be8d652 Fix analytics by inserted into every HTML file f2ce9576 Fixes #368 - jars larger than a gig are extracted to disk when scanning (#400) d222fe12 Merge pull request #397 from lunasec-io/update-hype-title 973a6c41 Merge pull request #398 from lunasec-io/fix-analytics 32a4cec4 Merge pull request #399 from lunasec-io/fix-typos-jan 94e75aca Update Hype train post title 3b1e39dd bump version (#401) 432e4b34 fix typos
451e1c44 Add ear file extension to Scan function ac30e3de Edit of first blog post (#381) 5bd43d14 Merge branch 'master' into add-jar-patcher 74e545a8 Merge pull request #308 from lunasec-io/add-jar-patcher 569b46c6 Merge pull request #378 from lunasec-io/fix-file-not-closed 9891b136 Merge pull request #380 from NorthwaveCERT/patch-1 eda04aab Merge pull request #386 from lunasec-io/log4shell-blog-cli-command-update 74bb3cdd Severity 9.8 for log4j v1 vulns 02a9e736 Some scaffolding for a JAR patcher 6a3eb6c2 Speed up ci (#383) bec65fd8 Swap from Severity to CVE 99aee5c5 Update vulnerablehashes.go dd697d30 Update vulnerablehashes.go 24b9eaf6 added 2.15 hashes and confirmed they work 7e8c1463 begin to support nested zips when patching 4fd334e6 duplicate flags onto scan command because its more natural UX 50f3d2af first draft of adding severity rating to vulns 7d30321b generating hashes for the JndiLookup.class file to patch out 56c6375a include jndilookup.class file when analyzing so that it can be removed when patching fbab2cfe jar patcher is able to remove JndiLookup.class file from jars 449f7004 nested patching works now 6e991905 patcher works on non-nested zips, but is truncating nested zips for some reason 258281ca testing the jar patcher by loading findings file and then looking at discovered files bcf95cc3 update info about cli e867b7ba update wording in blog to be more clear that the cli is not an archive
423c567e Merge pull request #366 from tlehman/patch-1 d6a8fa40 Merge pull request #367 from lunasec-io/update-guidance-to-include-2.17.0 62dc0e95 Merge pull request #375 from lunasec-io/osx-log4shell 7a160ba2 Merge pull request #376 from lunasec-io/fix-malicious-links a414f0ad Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx 472e23ee Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx b02cd4fc Update guidance across all posts 15c5823e Update the malicious links to be our domain everywhere a33566d5 WIP OSS patching blog post (#348) 780dd9f3 better osx instructions 71adc6a5 close read which is left open 90f18589 typo 'and' should be 'an' c3871569 update guidance to use 2.17.0
Fixes #351
0f47f256 Add bypass payload to post 4c832fb3 Fix bad date 9f908c86 Fix bug in the new CVSS post 600fc1bc Merge pull request #352 from lunasec-io/follow-post-to-CVE-2021-45046 57196831 Merge pull request #353 from lunasec-io/fix-bug-in-post dce51d52 Merge pull request #354 from lunasec-io/fix-bug-in-post 5d3a3417 Merge pull request #355 from lunasec-io/fix-bug-in-post 0cbce8c9 Merge pull request #356 from lunasec-io/fix-bug-in-post 998c69de Merge pull request #360 from lunasec-io/do-not-open-non-existant-files-from-symlinks 8f796fde One more change c2f9bd7b Update issue templates a89ce9b9 add details about the latest updates about the log4shell cves fc20cbdc broken symlinks no longer stop scanning 67f8a2fa bump version da858efd create blog post discussing follow up issues for cve b5e245b0 update date
ee2c1633 Add FUNDING.yml file for GitHub Sponsors 7a305f71 Add links back to other posts bdeb637a Add links to other blog posts and update phrasing b4751d10 Merge branch 'bump-log4shell-cli-version' of github.com:lunasec-io/lunasec into bump-log4shell-cli-version 4372467c Merge branch 'bump-log4shell-cli-version' of github.com:lunasec-io/lunasec into bump-log4shell-cli-version cfe2c1bd Merge branch 'master' into improve-scanner-reliability 33bbf9cf Merge pull request #330 from lunasec-io/improve-scanner-reliability fb5deb36 Merge pull request #334 from acollign/feature/add-exts 712a040b Merge pull request #342 from lunasec-io/bump-log4shell-cli-version 8150184b Merge pull request #345 from lunasec-io/add-link-to-new-posts 3f604c23 Merge pull request #347 from lunasec-io/add-funding-file ecbcc801 Merge pull request #350 from lunasec-io/increase-severity-of-cve-2021-45046 8c466e35 Update README.md b654be54 add --no-follow-symlinks be2b698a add manual releasing instructions 2ce1498e add zip and ear extensions to allow deep scans 2dd83919 analyzer has better semver version checking c273bcb0 bump cli version to 1.3.2 bca90187 fix false positive for 2.16.0 and 2.15.0 ccd10e67 global flags are recognized by the cli if they have a name collision in a subcommand 7ebe74f4 improve log colors 36673ca8 increase severity of cve-2021-45046 finding 427e4915 resolve symlinks while scanning 1c98ea08 slightly better log level printing 5b506a12 switch all logs to stdout and prettier formatting for scan results 43f6987f update CTA size c6affa5d version change is more than a patch, version should reflect this 70d405f3 warning about virus scanners in blog post