v2021.12.20 - some new options (--json, --stdin, --excludes)

juliusmusseau · juliusmusseau · commit 22c7ca7faf24 · 2021-12-20T08:48:24.000Z
includes pre-compiled ./log4j-detector-2021.12.20.jar binary that
was compiled using Java 6 and signed by MergeBase signing key.
diff --git a/README.md b/README.md
@@ -13,16 +13,16 @@ We currently maintain a collection of [log4j-samples](https://github.com/mergeba
 
 # Example Usage:
 
-java -jar log4j-detector-2021.12.17.jar [path-to-scan] > hits.txt
+java -jar log4j-detector-2021.12.20.jar [path-to-scan] > hits.txt
 
 ![Terminal output from running java -jar log4j-detector.jar in a terminal](./log4j-detector.png)
 
 # More Example Usage:
 
 ```
-java -jar log4j-detector-2021.12.17.jar ./samples 
+java -jar log4j-detector-2021.12.20.jar ./samples 
 
--- github.com/mergebase/log4j-detector v2021.12.17 (by mergebase.com) analyzing paths (could take a while).
+-- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
 -- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
 /opt/mergebase/log4j-detector/samples/clt-1.0-SNAPSHOT.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
 /opt/mergebase/log4j-detector/samples/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
@@ -85,15 +85,15 @@ your system (e.g., 1 GB or larger).
 # Usage
 
 ```
-java -jar log4j-detector-2021.12.17.jar 
+java -jar log4j-detector-2021.12.20.jar 
 
-Usage: java -jar log4j-detector-2021.12.17.jar [--verbose] [paths to scan...]
+Usage: java -jar log4j-detector-2021.12.20.jar [--verbose] [paths to scan...]
 
 Exit codes:  0 = No vulnerable Log4J versions found.
              1 = At least one legacy Log4J 1.x version found.
              2 = At least one vulnerable Log4J version found.
 
-About - MergeBase log4j detector (version 2021.12.17)
+About - MergeBase log4j detector (version 2021.12.20)
 Docs  - https://github.com/mergebase/log4j-detector 
 (C) Copyright 2021 Mergebase Software Inc. Licensed to you via GPLv3.
 ```
@@ -104,7 +104,7 @@ Docs  - https://github.com/mergebase/log4j-detector
 git clone https://github.com/mergebase/log4j-detector.git
 cd log4j-detector/
 mvn install
-java -jar target/log4j-detector-2021.12.17.jar
+java -jar target/log4j-detector-2021.12.20.jar
 ```
 # Testing:
 
diff --git a/log4j-detector-2021.12.20.jar b/log4j-detector-2021.12.20.jar
diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.mergebase</groupId>
     <artifactId>log4j-detector</artifactId>
-    <version>2021.12.17</version>
+    <version>2021.12.20</version>
     <licenses>
         <license>
             <name>GPL-3.0-only</name>
diff --git a/src/main/java/com/mergebase/log4j/Log4JDetector.java b/src/main/java/com/mergebase/log4j/Log4JDetector.java
@@ -25,9 +25,13 @@
 import java.util.Comparator;
 import java.util.HashSet;
 import java.util.Iterator;
+import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Locale;
+import java.util.Map;
 import java.util.Properties;
+import java.util.Set;
+import java.util.TreeSet;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 
@@ -68,22 +72,48 @@ public class Log4JDetector {
 
     private static boolean verbose = false;
     private static boolean debug = false;
+    private static boolean json = false;
+    private static Set<String> excludes = new TreeSet<String>();
     private static boolean foundHits = false;
     private static boolean foundLog4j1 = false;
 
-    public static void main(String[] args) {
+    public static void main(String[] args) throws IOException {
         List<String> argsList = new ArrayList<String>();
         Collections.addAll(argsList, args);
 
         Iterator<String> it = argsList.iterator();
+        List<String> stdinLines = new ArrayList<String>();
         while (it.hasNext()) {
-            final String argOrig = it.next();
+            final String argOrig = it.next().trim();
             if ("--debug".equals(argOrig)) {
                 debug = true;
                 it.remove();
             } else if ("--verbose".equals(argOrig)) {
                 verbose = true;
                 it.remove();
+            } else if ("--json".equals(argOrig)) {
+                json = true;
+                it.remove();
+            } else if (argOrig.startsWith("--exclude=[")) {
+                int x = argOrig.indexOf("]");
+                if (x > 0) {
+                    it.remove();
+                    String json = argOrig.substring("--exclude=".length());
+                    Object o = Java2Json.parse(json);
+                    if (o instanceof List) {
+                        List<Object> list = (List) o;
+                        for (Object obj : list) {
+                            if (obj != null) {
+                                excludes.add(String.valueOf(obj));
+                            }
+                        }
+                    }
+                }
+            } else if ("--stdin".equals(argOrig)) {
+                it.remove();
+                byte[] b = Bytes.streamToBytes(System.in);
+                String s = new String(b, Bytes.UTF_8);
+                stdinLines = Strings.intoLines(s);
             } else {
                 File f = new File(argOrig);
                 if (!f.exists()) {
@@ -92,28 +122,41 @@ public static void main(String[] args) {
                 }
             }
         }
+        argsList.addAll(stdinLines);
 
         if (argsList.isEmpty()) {
             System.out.println();
-            System.out.println("Usage: java -jar log4j-detector-2021.12.17.jar [--verbose] [paths to scan...]");
+            System.out.println("Usage: java -jar log4j-detector-2021.12.20.jar [--verbose] [--json] [--stdin] [--exclude=X] [paths to scan...]");
+            System.out.println();
+            System.out.println("  --json       - Output STDOUT results in JSON.  (Errors/warning still emitted to STDERR)");
+            System.out.println("  --stdin      - Parse STDIN for paths to explore.");
+            System.out.println("  --exclude=X  - Where X is a JSON list containing full paths to exclude. Must be valid JSON.");
+            System.out.println();
+            System.out.println("                 Example: --excludes=[\"/dev\", \"/media\", \"Z:\\TEMP\"]");
             System.out.println();
             System.out.println("Exit codes:  0 = No vulnerable Log4J versions found.");
             System.out.println("             1 = At least one legacy Log4J 1.x version found.");
             System.out.println("             2 = At least one vulnerable Log4J 2.x version found.");
             System.out.println();
-            System.out.println("About - MergeBase log4j detector (version 2021.12.17)");
+            System.out.println("About - MergeBase log4j detector (version 2021.12.20)");
             System.out.println("Docs  - https://github.com/mergebase/log4j-detector ");
             System.out.println("(C) Copyright 2021 Mergebase Software Inc. Licensed to you via GPLv3.");
             System.out.println();
             System.exit(100);
         }
 
-        System.out.println("-- github.com/mergebase/log4j-detector v2021.12.17 (by mergebase.com) analyzing paths (could take a while).");
-        System.out.println("-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.");
+        System.err.println("-- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).");
+        System.err.println("-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.");
+        if (json) {
+            System.out.println("{\"hits\":[");
+        }
         for (String arg : argsList) {
             File dir = new File(arg);
             analyze(dir);
         }
+        if (json) {
+            System.out.println("{\"_THE_END_\":true}]}");
+        }
         if (foundHits) {
             System.exit(2);
         } else if (foundLog4j1) {
@@ -422,10 +465,10 @@ public void close() {
                 StringBuilder buf = new StringBuilder();
                 if (isLog4j) {
                     if (isLog4J1_X) {
-                        buf.append(zipPath).append(" contains Log4J-1.x AND Log4J-2.x _CRAZY_   ");
+                        buf.append(" contains Log4J-1.x AND Log4J-2.x _CRAZY_   ");
                         foundLog4j1 = true;
                     } else {
-                        buf.append(zipPath).append(" contains Log4J-2.x   ");
+                        buf.append(" contains Log4J-2.x   ");
                     }
                     if (isVulnerable) {
                         if (isLog4j_2_10_0) {
@@ -455,11 +498,11 @@ public void close() {
                     if (!isSafe) {
                         foundHits = true;
                     }
-                    System.out.println(buf);
+                    System.out.println(prepareOutput(zipPath, buf));
                 } else if (isLog4J1_X) {
-                    buf.append(zipPath).append(" contains Log4J-1.x   <= 1.2.17 _OLD_");
+                    buf.append(" contains Log4J-1.x   <= 1.2.17 _OLD_");
                     foundLog4j1 = true;
-                    System.out.println(buf);
+                    System.out.println(prepareOutput(zipPath, buf));
                 }
             }
         } finally {
@@ -469,6 +512,24 @@ public void close() {
         }
     }
 
+    private static String prepareOutput(String zipPath, StringBuilder buf) {
+        if (json) {
+            String msg = buf.toString().trim();
+            int x = msg.lastIndexOf(" _");
+            String status = "_UNKNOWN_";
+            if (x >= 0) {
+                status = msg.substring(x).trim();
+                msg = msg.substring(0, x).trim();
+            }
+            Map<String, String> m = new LinkedHashMap<String, String>();
+            m.put(status, zipPath);
+            m.put("info", msg);
+            return Java2Json.format(m) + ",";
+        } else {
+            return zipPath + buf;
+        }
+    }
+
     private static boolean containsMatch(byte[] bytes, byte[] needle) {
         int matched = Bytes.kmp(bytes, needle);
         return matched >= 0;
@@ -590,6 +651,19 @@ private static void analyze(File f) {
         // Hopefully this stops symlink cycles.
         // Using CRC-64 of path to save on memory (since we're storing *EVERY* path we come across).
         String path = f.getPath();
+        if (excludes.contains(path)) {
+            System.err.println("-- Info: Skipping [" + path + "] because --excludes mentions it.");
+            return;
+        }
+        File parent = f.getParentFile();
+        while (parent != null) {
+            String parentPath = parent.getPath();
+            if (excludes.contains(parentPath)) {
+                System.err.println("-- Info: Skipping [" + path + "] because --excludes mentions it.");
+                return;
+            }
+            parent = parent.getParentFile();
+        }
         long crc = CRC64.hash(path);
         if (visited.contains(crc)) {
             return;
@@ -626,8 +700,8 @@ private static void analyze(File f) {
                     if (isLog4J_1_X) {
                         StringBuilder buf = new StringBuilder();
                         String grandParent = f.getParentFile().getParent();
-                        buf.append(grandParent).append(" contains contains Log4J-1.x   <= 1.2.17 _OLD_ :-|");
-                        System.out.println(buf);
+                        buf.append(" contains Log4J-1.x   <= 1.2.17 _OLD_ :-|");
+                        System.out.println(prepareOutput(grandParent, buf));
                     } else {
                         maybe = currentPathLower.endsWith(FILE_LOG4J_1);
                     }
@@ -683,7 +757,7 @@ private static void analyze(File f) {
                             }
                         }
                         StringBuilder buf = new StringBuilder();
-                        buf.append(f.getParentFile().getParent()).append(" contains Log4J-2.x   ");
+                        buf.append(" contains Log4J-2.x   ");
                         if (isVulnerable) {
                             if (isLog4J_2_10) {
                                 if (isLog4J_2_17) {
@@ -711,7 +785,7 @@ private static void analyze(File f) {
                         } else {
                             buf.append("<= 2.0-beta8 _POTENTIALLY_SAFE_ (Did you remove JndiLookup.class?)");
                         }
-                        System.out.println(buf);
+                        System.out.println(prepareOutput(f.getParentFile().getParent(), buf));
                     }
                 } else if (verbose) {
                     System.err.println("-- Skipping " + f.getPath() + " - Not a zip/jar/war file.");
