Inspired by logpresso Scanner where I was able to contribute some parts :-)
And I have to do some automatic builds and releases with GitHub Actions...
Simple checkout and build via mvn package. GraalVM native-images can be created with mvn package -Pnative. An
installed GraalVM with native-image must be installed.
This project uses the Maven Git Versioning Extension to
automaticly set the version numbers. For a flawless experience you need to disable this extension during project import
in IntelliJ. Disable it by adding -Dversioning.disable=true to Maven Importer VM options.
In the release section you can find the JAR for all JRE 8+ environments. Also you can download a native binary for linux, macOS or windows.
To execute the scanner simple call java -jar CVE_MavenScanner-<version>.jar -cve <CVE-Number> scanPath where 'scanPath'
is the directory you want to scan. All ZIPs, JARs, WARs and EARs in the directory are scanned (also Fat-JARs are supported). Also all
directories are scanned recursive. Native binaries can be executed without installed Java - please pick the correct for
you system.
All Available CVEs will be listed when called without parameters
Attention: After downloading the macOS binary you may need to remove the quarantine attribute. Do this
via xattr -d com.apple.quarantine CVE_MavenScanner-mac-amd64.
You get a return code 0 when everything is fine, > 1 if there are findings.
Scan for CVE-2022-42889
Findings: 4
[-] ✅ org.apache.commons:commons-text:1.10.0 in Log4j-Scanner/src/test/resources/commons-text/commons-text-1.10.0.jar
[*] 🔥 org.apache.commons:commons-text:1.9 in Log4j-Scanner/src/test/resources/commons-text/commons-text-1.9.jar
[*] 🔥 org.apache.commons:commons-text:1.8 in Log4j-Scanner/src/test/resources/commons-text/commons-text-1.8.jar
[?] ❓ null in Log4j-Scanner/src/test/resources/commons-text/commons-text_potentially.jar
Process finished with exit code 3