Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hillu/local-spring-vuln-scanner

Simple local scanner for applications containing vulnerable Spring libraries
https://github.com/hillu/local-spring-vuln-scanner

Last synced: about 2 hours ago
JSON representation

Simple local scanner for applications containing vulnerable Spring libraries

Host: GitHub
URL: https://github.com/hillu/local-spring-vuln-scanner
Owner: hillu
License: gpl-3.0
Created: 2022-03-31T12:39:50.000Z (over 2 years ago)
Default Branch: master
Last Pushed: 2022-08-01T20:19:30.000Z (over 2 years ago)
Last Synced: 2024-06-18T21:47:11.316Z (5 months ago)
Language: Go
Size: 80.1 KB
Stars: 124
Watchers: 11
Forks: 18
Open Issues: 4
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE

Awesome Lists containing this project

README

        # Simple local Spring vulnerability scanner

(Written in Go because, you know, "write once, run anywhere.")

This is a simple tool that can be used to find instances of Spring

vulnerable to CVE-2022-22965 ("SpringShell") in installations of Java

software such as web applications. JAR and WAR archives are inspected

and class files that are known to be vulnerable are flagged. The scan

happens recursively: WAR files containing WAR files containing JAR

files containing vulnerable class files ought to be flagged properly.

The scan tool currently checks for known build artifacts that have

been obtained through Maven Central. From-source rebuilds as they are

done for Linux distributions may or may not be recognized.

Binaries for x86_64 Windows, Linux, MacOSX for tagged releases are

provided via the

[Releases](https://github.com/hillu/local-spring-vuln-scanner/releases)

page.

# Using the scanner

```

$ ./local-spring-vuln-scanner [--verbose] [--quiet] \

    [--exclude /path/to/exclude …] \

	[--scan-network] \

	[--log /path/to/file.log] \

    /path/to/app1 /path/to/app2 …

```

The `--verbose` flag will show every .jar and .war file checked, even if no problem is found.

The `--quiet` flag will supress output except for indicators of a known vulnerability.

The `--log` flag allows everythig to be written to a log file instead of stdout/stderr.

Use the `--exclude` flag to exclude subdirectories from being scanned. Can be used multiple times.

The `--scan-network` flag tells the scanner to search network filesystems (disabled by default). This has not been implemented for Windows.

If class files indicating one of the vulnerabilities are found,

messages like the following are printed to standard output:

``` console

local-spring-vuln-scanner - a simple local Spring vulnerability scanner

Checking for vulnerabilities: CVE-2022-22965

examining /path/to/spring-boot-0.0.1-SNAPSHOT.jar

indicator for vulnerable component found in /path/to/spring-boot-0.0.1-SNAPSHOT.jar::BOOT-INF/lib/spring-beans-5.3.17.jar (org/springframework/beans/CachedIntrospectionResults.class): CachedIntrospectionResults.class  spring 5.3.0-5.3.17 CVE-2022-22965

Scan finished

```

# Building from source

Install a [Go compiler](https://golang.org/dl).

Run the following commands in the checked-out repository:

```

go build

```

# License

GNU General Public License, version 3

# Author

Hilko Bengen <>

# See also

- [local-log4j-vuln-scanner](https://github.com/hillu/local-log4j-vuln-scanner)