Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

incorrectly flagging embedded jar file as effected #246

Open
bvallabhaneni opened this issue Jan 13, 2022 · 2 comments
Open

incorrectly flagging embedded jar file as effected #246

bvallabhaneni opened this issue Jan 13, 2022 · 2 comments
Assignees
@xeraph
Labels
enhancement New feature or request patch released

Comments

@bvallabhaneni
Copy link

The scanner is looking for The scan tool uses the following file to determine the log4j version and in the embedded jar ant is removing this file. is there a way not to flag 2.17.1 as effected?
META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties
@xeraph xeraph added the discussion question or suggestion label Jan 14, 2022
@xeraph
Copy link
Contributor

xeraph commented Jan 14, 2022

@bvallabhaneni
There is no way if pom.properties is not embedded. Another detection method (e.g. hash comparison) is required to implement it, however I don't have much time right now.

@xeraph xeraph self-assigned this Feb 13, 2022
@xeraph xeraph added enhancement New feature or request patch released and removed discussion question or suggestion labels Feb 13, 2022
@xeraph
Copy link
Contributor

xeraph commented Feb 13, 2022

@bvallabhaneni Would you test v3.0.1 release? It can detect log4j version without pom.properties.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xeraph xeraph

Labels
enhancement New feature or request patch released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xeraph @bvallabhaneni