Updating vulnerable SHAs

Johannes Spaeth · Johannes Spaeth · commit 839460ff9901 · 2021-12-13T22:22:44.000+01:00
diff --git a/src/main/java/de/codeshield/log4jshell/Log4JDetector.java b/src/main/java/de/codeshield/log4jshell/Log4JDetector.java
@@ -110,12 +110,12 @@ public boolean run(String pathToJarFile) throws IOException {
         DirectoryFileFilter.DIRECTORY
     );
 
-    for (File pomFile : classFiles) {
-      try (FileInputStream is = new FileInputStream(pomFile)) {
+    for (File classFile : classFiles) {
+      try (FileInputStream is = new FileInputStream(classFile)) {
         //Check if a class file matches one of the pre-computed vulnerable SHAs.
         if (ClassDetector.isVulnerableClass(is)) {
           isVulnerable = true;
-          System.err.println("CVE-2021-44228 found declared as dependency in " + pomFile);
+          System.err.println("CVE-2021-44228 found declared as dependency in " + classFile);
         }
       }
     }
diff --git a/src/main/resources/VulnerableClassSHAs.csv b/src/main/resources/VulnerableClassSHAs.csv
@@ -50,6 +50,7 @@ org.apache.logging.log4j.core.net.JndiLookup,a03e538ed25eff6c4fe48aabc5514e5ee68
 org.apache.logging.log4j.core.net.JndiLookup,964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e
 org.apache.logging.log4j.core.net.JndiLookup,9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c
 org.apache.logging.log4j.core.net.JndiLookup,fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29
+org.apache.logging.log4j.core.net.JndiLookup,b5528697fdb3b5b8868d2aae7b130cd04fb5451031edb23d069980657e87be89
 org.apache.logging.log4j.core.net.JndiManager,03c77cca9aeff412f46eaf1c7425669e37008536dd52f1d6f088e80199e4aae7
 org.apache.logging.log4j.core.net.JndiManager,1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32
 org.apache.logging.log4j.core.net.JndiManager,1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de

Original file line number	Diff line number	Diff line change
`@@ -110,12 +110,12 @@ public boolean run(String pathToJarFile) throws IOException {`
`110`	`110`	`DirectoryFileFilter.DIRECTORY`
`111`	`111`	`);`
`112`	`112`
`113`		`- for (File pomFile : classFiles) {`
`114`		`- try (FileInputStream is = new FileInputStream(pomFile)) {`
	`113`	`+ for (File classFile : classFiles) {`
	`114`	`+ try (FileInputStream is = new FileInputStream(classFile)) {`
`115`	`115`	`//Check if a class file matches one of the pre-computed vulnerable SHAs.`
`116`	`116`	`if (ClassDetector.isVulnerableClass(is)) {`
`117`	`117`	`isVulnerable = true;`
`118`		`- System.err.println("CVE-2021-44228 found declared as dependency in " + pomFile);`
	`118`	`+ System.err.println("CVE-2021-44228 found declared as dependency in " + classFile);`
`119`	`119`	`}`
`120`	`120`	`}`
`121`	`121`	`}`