Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/juergenhoetzel/log4j2go
A Log4J Version 2 Detector written in golang
https://github.com/juergenhoetzel/log4j2go
cve-2021-44228 cve-2021-45046 log4j log4j2
Last synced: about 1 month ago
JSON representation
A Log4J Version 2 Detector written in golang
- Host: GitHub
- URL: https://github.com/juergenhoetzel/log4j2go
- Owner: juergenhoetzel
- Created: 2021-12-18T14:32:13.000Z (about 3 years ago)
- Default Branch: master
- Last Pushed: 2021-12-20T18:11:28.000Z (about 3 years ago)
- Last Synced: 2024-06-21T02:18:17.103Z (6 months ago)
- Topics: cve-2021-44228, cve-2021-45046, log4j, log4j2
- Language: Go
- Homepage:
- Size: 27.3 KB
- Stars: 1
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.org
Awesome Lists containing this project
README
[[https://github.com/juergenhoetzel/log4j2go/actions][file:https://github.com/juergenhoetzel/log4j2go/workflows/CI/badge.svg]]
* Installation
From source:
#+begin_src bash
go install github.com/juergenhoetzel/log4j2go/cmd/log4j2go@latest
#+end_src
CI build Binaries for Windows, Linux and Darwin: [[https://github.com/juergenhoetzel/log4j2go/releases][Releases · juergenhoetzel/log4j2go · GitHub]].
* Usage
Recursively scan filesystem
#+begin_src bash
log4j2go ~/ghq/github.com
#+end_src
#+begin_src text
2021/12/18 15:45:17 Found log4j-core-2.12.2 in "/home/juergen/ghq/github.com/mergebase/log4j-samples/false-hits/log4j-core-2.12.2.jar"
2021/12/18 15:45:17 Found log4j-core-2.16.0 in "/home/juergen/ghq/github.com/mergebase/log4j-samples/false-hits/log4j-core-2.16.0.jar"
2021/12/18 15:45:17 Found log4j-core-2.0-beta2 in "/home/juergen/ghq/github.com/mergebase/log4j-samples/old-hits/log4j-core-2.0-beta2.jar"
2021/12/18 15:45:17 Found log4j-core-2.0-beta9 in "/home/juergen/ghq/github.com/mergebase/log4j-samples/true-hits/log4j-core-2.0-beta9.jar"
2021/12/18 15:45:17 Found log4j-core-2.10.0 in "/home/juergen/ghq/github.com/mergebase/log4j-samples/true-hits/log4j-core-2.10.0.jar"
2021/12/18 15:45:17 Found log4j-core-2.15.0 in "/home/juergen/ghq/github.com/mergebase/log4j-samples/true-hits/log4j-core-2.15.0.jar"
2021/12/18 15:45:17 Found log4j-core-2.9.1 in "/home/juergen/ghq/github.com/mergebase/log4j-samples/true-hits/log4j-core-2.9.1.jar"
2021/12/18 15:45:17 Found log4j-core-2.14.1 in "/home/juergen/ghq/github.com/mergebase/log4j-samples/true-hits/shaded/clt-1.0-SNAPSHOT.jar"
2021/12/18 15:45:17 Found log4j-core-2.10.0 in "/home/juergen/ghq/github.com/mergebase/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.ear!/home/juergen/ghq/github.com/mergebase/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.ear!WEB-INF/lib/log4j-core-2.10.0.jar"
2021/12/18 15:45:17 Found log4j-core-2.10.0 in "/home/juergen/ghq/github.com/mergebase/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.jar!/home/juergen/ghq/github.com/mergebase/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.jar!WEB-INF/lib/log4j-core-2.10.0.jar"
2021/12/18 15:45:18 Found log4j-core-2.10.0 in "/home/juergen/ghq/github.com/mergebase/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war!/home/juergen/ghq/github.com/mergebase/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war!WEB-INF/lib/log4j-core-2.10.0.jar"
2021/12/18 15:45:18 Found log4j-core-2.5 in "/home/juergen/ghq/github.com/mergebase/log4j-samples/true-hits/uber/infinispan-embedded-query-8.2.12.Final.jar"
#+end_src
Recursively scan root filesystem but don't descent in mountpoints
#+begin_src bash
log4j2go -samefs /
#+end_src
* Performance
Log4j-Detector
#+begin_src text
time java -jar ~/ghq/github.com/mergebase/log4j-detector/target/log4j-detector-2021.12.17.jar ~/ghq/github.com/
real 0m14,160s
user 0m12,335s
sys 0m4,395s
#+end_src
Log4j2go
#+begin_src test
time log4j2go ~/ghq/github.com/
real 0m2,844s
user 0m2,738s
sys 0m3,553s
#+end_src
* How it works
=log4j2go= recursively scans the filesystem for =ear=, =war= and
=jar= files. It first checks for =log4j-core/pom.xml= metadata to
get the version number.
If there is no =log4j-core/pom.xml= file it compares the =ZIP=
content for well-known Log4J2 filenames (=org/apache/logging/log4j/core= prefix) which
content matches the hashes from the Maven Central artefacts. Each
file is also scanned recursively if it contains =jar= files.
* TODOS
** TODO Also search in plain =.class= files