Scan log4j in other formats, such as RAR, TAR, EXE, MSI, etc

[hvbtup]

I think the documentation should explicitly mention that only JAR, EAR and WAR files are scanned.

For example, often a rolled out software comes in the form of a ZIP file or RAR, TAR, TAR.GZ (TGZ), TAR.BZ2 or platform-specific files types like an extractable EXE or MSI files.

Other programming languages use ZIP the file format but with a different suffix as an archive format as well, e.g. Python uses the WHL suffix.

Such archive files might contain Java classes as well, probably wrapped in *.JAR archives inside the outer archive.

These file types will not be scanned and I think this should be mentioned.

[yunzheng]

That's a good point, I will add more details on how it works and what it scans.

[yunzheng]

@hvbtup Documentation has been updated, let me know if that should cover it and I will close the issue.

I have also added a short rationale why it doesn't scan these other archive formats. I might add .zip later though.

[hvbtup]

Looks OK for me.
I just stumbled upon this tool today after I wrote a similar tool for internal use on Monday.
In my tool we check the software we delivered, not the software that is running, so the use case is a bit different.

[yunzheng]

Hi @hvbtup, thanks that is actually very good feedback. I have not considered the use case from a software distributor yet, interesting!

[yunzheng]

@hvbtup I converted this issue to a conversation so it might gain some more visibility, the following project was shared and it looks pretty awesome:

https://twitter.com/Darkarnium/status/1470387759743475727
https://github.com/darkarnium/Log4j-CVE-Detect

It can scan WAR, EAR, JAR, ZIP, APK, ISO, 7Z, TAR, TGZ, TBZ, RPM, and / or XZ files, so this might be useful for you!