Whoops, I forgot to use the newer locked lines inspector! My bad!
I have seen some very fast scan times on my NVMe systems, but 1.26 seconds does seem a bit fast for that many files.
Logpresso CVE-2021-44228 Vulnerability Scanner 1.6.3 (2021-12-16)
Scanning directory: /
Scanned 3462 directories and 35526 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 3.15 seconds
This seems less surprising to me given the number of files being scanned on NVMe, but your result seems somewhat plausible.
I’m still working on a solution for non x64 based systems to run the JAR directly instead of using the Linux or Windows binary which will only work on Intel/AMD x64 systems currently.
yep, that is what I should be doing, good call. You want to file a pull request against my analysis in GitHub?
I’m planning on doing this today. What do you have so far?
FYI, there have been 4 releases of the log4jscan utility in the last 19 hours, including this important addition:
Support Log4j 1.x CVE-2021-4104 vulnerability scanning using --scan-log4j1 option.
So now it supports detection of the CVE within the EOL Log4j 1.x versions. I’ll look to add this to the default command shortly.
Redefined exit code
-1 failed to run
0 for clean (No vulnerability)
1 for found
2 for some errors
Use --old-exit-code for legacy automation.
I’ll be updating the scan tasks to use this newer version soon, as well as incorporating a method for custom path exclusions.