{"id":21475231,"url":"https://github.com/pfichtner/log4shell-hunter","last_synced_at":"2025-07-15T09:32:26.436Z","repository":{"id":38122862,"uuid":"438657944","full_name":"pfichtner/log4shell-hunter","owner":"pfichtner","description":"Scanner that scans local files for log4shell vulnerability. Does bytecode analysis so it does not rely on metadata. Will find vulnerable log4j even it has been self-compiled/repackaged/shaded/nested (e.g. uberjar, fatjar) and even obfuscated. ","archived":false,"fork":false,"pushed_at":"2024-10-24T06:28:42.000Z","size":43943,"stargazers_count":7,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-10-25T03:04:40.375Z","etag":null,"topics":["cve-2021-44228","cve-2021-45046","cve-2021-45105","java","log4j","log4j-rce","log4shell","scanner","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pfichtner.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-15T14:25:24.000Z","updated_at":"2024-10-24T06:28:38.000Z","dependencies_parsed_at":"2024-09-16T07:58:49.712Z","dependency_job_id":"d8ecf0b9-feee-4d37-a75d-6854a3af146e","html_url":"https://github.com/pfichtner/log4shell-hunter","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfichtner%2Flog4shell-hunter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfichtner%2Flog4shell-hunter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfichtner%2Flog4shell-hunter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfichtner%2Flog4shell-hunter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pfichtner","download_url":"https://codeload.github.com/pfichtner/log4shell-hunter/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226033295,"owners_count":17563125,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2021-44228","cve-2021-45046","cve-2021-45105","java","log4j","log4j-rce","log4shell","scanner","vulnerability-scanner"],"created_at":"2024-11-23T10:39:15.696Z","updated_at":"2024-11-23T10:39:16.311Z","avatar_url":"https://github.com/pfichtner.png","language":"Java","readme":"# log4shell-hunter\n\n[![Java CI with Maven](https://github.com/pfichtner/log4shell-hunter/actions/workflows/maven.yml/badge.svg)](https://github.com/pfichtner/log4shell-hunter/actions/workflows/maven.yml)\n[![GitLicense](https://gitlicense.com/badge/pfichtner/log4shell-hunter)](https://gitlicense.com/license/pfichtner/log4shell-hunter)\n[![Known Vulnerabilities](https://snyk.io/test/github/pfichtner/log4shell-hunter/badge.svg?targetFile=pom.xml)](https://snyk.io/test/github/pfichtner/log4shell-hunter?targetFile=pom.xml)\n[![codecov](https://codecov.io/gh/pfichtner/log4shell-hunter/branch/main/graph/badge.svg?token=9KPRQO35RS)](https://codecov.io/gh/pfichtner/log4shell-hunter)\n[![BCH compliance](https://bettercodehub.com/edge/badge/pfichtner/log4shell-hunter?branch=main)](https://bettercodehub.com/)\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fpfichtner%2Flog4shell-hunter.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fpfichtner%2Flog4shell-hunter?ref=badge_shield)\n\nAre you afraid of having JARs or even commercial (e.g. closed source) applications where a vulnerable version of log4j is included (shaded) or that your coders copied  vulnerable log4j classes in some of their projects? This is where most scanners will have false negatives because they rely on metadata like pom.xml describing the log4j version. \n\nThis scanner does bytecode analysis! So it does **not** depend on: \n- fingerprinted jar files\n- fingerprinted class files\n- class names (e.g. ```JndiLookup```)\n- poms/pom entries\n\nSo log4shell-hunter will find vulnerable log4j versions even if: \n- log4j's source has been compiled by third-parties (no matter what compiler/compiler version)\n- log4j (or parts of it) has/have been included/copied in/to other jars\n- log4j was repacked (uberjar, fatjar), even if packages have been renamed, e.g. org.apache.logging -\u003e org.acme.foo.logger.bar\n\nThe scanner analyzes jars and tries to detect: \n- classes that are annotated with log4j's Plugin annotation ```org.apache.logging.log4j.core.config.plugins.Plugin```. \n- This even works if the Plugin has renamed or even obfuscated (depending on the log4shell-hunter's mode parameter)\n\n### Usage\nExample usage\n```console\nfind \\( -name \"*.jar\" -o -name \"*.zip\" -o -name \"*.ear\" -o -name \"*.war\" \\) -exec java -jar log4shell-hunter-0.0.3.jar -m obfuscatorComparator {} \\;\n```\n\nExample output\n```console\n./log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war\n\u003e Possible 2.1+ match found in class org.apache.logging.log4j.core.lookup.JndiLookup in resource /WEB-INF/lib/log4j-core-2.10.0.jar\n```\n\nMode can be se to one of ```defaultComparator```, ```repackageComparator```, ```obfuscatorComparator```. \n- defaultComparator: Log4j classes have to match exactly the expected class+package name. Same apply for their methods. \n- repackageComparator: Log4j classes have to match the expected names where package name will be ignored. Method names have to match exactly (**default**)\n- obfuscatorComparator: log4shell-hunter does not depend on any class or method names but tries to detect log4 classes by some criteria. This mode will find even repackaged log4js even if the jar has been obfuscated\n\n### Build from source\n```console\ngit clone https://github.com/pfichtner/log4shell-hunter.git\ncd log4shell-hunter/\n# build using included maven wrapper \n# of course you can use your locally installed \"mvn\" instead of the maven wrapper \"./mvnw\"\n./mvnw package \njava -jar target/log4shell-hunter-0.0.3.jar\n```\n\n### License\n[GNU General Public License v3.0](LICENSE.txt)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpfichtner%2Flog4shell-hunter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpfichtner%2Flog4shell-hunter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpfichtner%2Flog4shell-hunter/lists"}