Skip to content

Commit 0661e02

Browse files
juliusmusseaujuliusmusseau
authored
Update README.md
1 parent abbf5b7 commit 0661e02

File tree

1 file changed

+5
-3
lines changed

1 file changed

+5
-3
lines changed

README.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,20 +10,22 @@ The samples include shaded jars, [uber jars](https://mergebase.com/blog/software
1010
-- github.com/mergebase/log4j-detector v2021.12.16 (by mergebase.com) analyzing paths (could take a while).
1111
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
1212
/opt/mergebase/log4j-samples/false-hits/exploded/2.12.2/org/apache/logging/log4j contains Log4J-2.x >= 2.12.2 _SAFE_ :-)
13+
/opt/mergebase/log4j-samples/false-hits/log4j-core-2.12.2.jar contains Log4J-2.x >= 2.12.2 _SAFE_ :-)
1314
/opt/mergebase/log4j-samples/false-hits/log4j-core-2.16.0.jar contains Log4J-2.x >= 2.16.0 _SAFE_ :-)
14-
/opt/mergebase/log4j-samples/false-hits/log4j-over-slf4j-1.7.32.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
1515
/opt/mergebase/log4j-samples/old-hits/log4j-1.1.3.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
1616
/opt/mergebase/log4j-samples/old-hits/log4j-1.2.17.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
1717
/opt/mergebase/log4j-samples/old-hits/log4j-core-2.0-beta2.jar contains Log4J-2.x <= 2.0-beta8 _POTENTIALLY_SAFE_ :-| (or did you already remove JndiLookup.class?)
1818
/opt/mergebase/log4j-samples/true-hits/exploded/2.12.1/org/apache/logging/log4j contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
1919
/opt/mergebase/log4j-samples/true-hits/log4j-core-2.0-beta9.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
2020
/opt/mergebase/log4j-samples/true-hits/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
21+
/opt/mergebase/log4j-samples/true-hits/log4j-core-2.10.0.zip contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
2122
/opt/mergebase/log4j-samples/true-hits/log4j-core-2.15.0.jar contains Log4J-2.x >= 2.15.0 _OKAY_ :-|
2223
/opt/mergebase/log4j-samples/true-hits/log4j-core-2.9.1.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
2324
/opt/mergebase/log4j-samples/true-hits/shaded/clt-1.0-SNAPSHOT.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
25+
/opt/mergebase/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.ear!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
26+
/opt/mergebase/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.jar!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
2427
/opt/mergebase/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
25-
/opt/mergebase/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war!/WEB-INF/lib/log4j-over-slf4j-1.7.25.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
28+
/opt/mergebase/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.zip!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
2629
/opt/mergebase/log4j-samples/true-hits/uber/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
2730
```
2831

29-
Notice our latest scan has two mistakes (see log4j-detector [issue #36](https://github.com/mergebase/log4j-detector/issues/36)): "log4j-over-slf4j-1.7.32.jar" and "log4j-over-slf4j-1.7.25.jar" are not actually Log4J-1.x.

0 commit comments

Comments
 (0)