Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

.jar Files not being fixed with --fix parameter

See original GitHub issue

Using the --fix parameter is not working for the .jar file below:

C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar 1.2.17 POTENTIALLY_VULNERABLE

The output of log4j2-scan.exe (Ver. 2.2.0) looks like this:

C:\Temp\Logpresso\logpresso-log4j2-scan-2.2.0-win64>log4j2-scan.exe --fix "C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar"
Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.0 (2021-12-18)
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
Scanning directory: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar

Scanned 0 directories and 1 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Fixed 0 vulnerable files
Completed in 0.00 seconds

Every hint is highly appreciated.

Thank you.

Issue Analytics

State:
Created 2 years ago
Comments:15 (7 by maintainers)

Top GitHub Comments

1reaction

latency0mscommented, Dec 18, 2021

Use: ./log4j2-scan --scan-log4j1 --fix

1reaction

latency0mscommented, Dec 18, 2021

After --fix has been applied, a new scan shows no mitigation note (mitigated)

Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)
Scanning drives: C:\


Scanned 75461 directories and 312990 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 98.31 seconds