I'd like to use this tool for scanning a server for any vulnerable jars, which could be hiding in any number of places. I'd like to recommend the behavior be modified to
- also look inside of zip files
- also look inside of war files
- also look inside of jar files
- actually scratch all of those-- just recurse into any archive regardless of the extension if possible
For example, I use a lot of fat-jar deployments where I've just got one big WEB-INF/lib/fat.jar on disk that stores other jar files inside of itself for extraction at run time. Note, I don't mean the classes are shaded in, I mean if you unzip far.jar, you've got full jar files sitting inside of it that were packed in as resources. And If the bullets above (which are really all just archives) were recursively scanned, this would make the tool a lot more powerful to be able to see into hidden jar files that may be still tucked away at scan time. A real life example my hard drive right now is
─┬ lucee.zip
└┬ engine.war
└┬ WEB-INF/lib/lucee.jar
├- bundles/log4j-1.2.17.jar <-- vulnerable
└┬ extensions/EFDEB172-F52E-4D84-9CD1A1F561B3DFC8-2.4.1.33.lex
└─ jars\log4j-1-2-16.jar <-- vulnerable
Yes, that is a real actual example off my hard drive, and yes that last file is a jar inside a zip (with a .lex extension), inside a jar file, inside a war file, inside a zip file. If we can get this tool recusivley digging all the way down into any archive it comes across, it will find that deep vulnerable jar. As it stand now, I'd have to manually unpack all of those layers myself for the scanner to find it.
I'd like to use this tool for scanning a server for any vulnerable jars, which could be hiding in any number of places. I'd like to recommend the behavior be modified to
For example, I use a lot of fat-jar deployments where I've just got one big
WEB-INF/lib/fat.jaron disk that stores other jar files inside of itself for extraction at run time. Note, I don't mean the classes are shaded in, I mean if you unzip far.jar, you've got full jar files sitting inside of it that were packed in as resources. And If the bullets above (which are really all just archives) were recursively scanned, this would make the tool a lot more powerful to be able to see into hidden jar files that may be still tucked away at scan time. A real life example my hard drive right now isYes, that is a real actual example off my hard drive, and yes that last file is a jar inside a zip (with a
.lexextension), inside a jar file, inside a war file, inside a zip file. If we can get this tool recusivley digging all the way down into any archive it comes across, it will find that deep vulnerable jar. As it stand now, I'd have to manually unpack all of those layers myself for the scanner to find it.