fox-it/log4j-finder

Documentation should explicitly mention that other archive file types are NOT scanned

hvbtup opened this issue · 4 comments

I think the documentation should explicitly mention that only JAR, EAR and WAR files are scanned.

For example, often a rolled out software comes in the form of a ZIP file or RAR, TAR, TAR.GZ (TGZ), TAR.BZ2 or platform-specific files types like an extractable EXE or MSI files.

Other programming languages use ZIP the file format but with a different suffix as an archive format as well, e.g. Python uses the WHL suffix.

Such archive files might contain Java classes as well, probably wrapped in *.JAR archives inside the outer archive.

These file types will not be scanned and I think this should be mentioned.

That's a good point, I will add more details on how it works and what it scans.

@hvbtup Documentation has been updated, let me know if that should cover it and I will close the issue.

I have also added a short rationale why it doesn't scan these other archive formats. I might add .zip later though.

Looks OK for me.
I just stumbled upon this tool today after I wrote a similar tool for internal use on Monday.
In my tool we check the software we delivered, not the software that is running, so the use case is a bit different.

Hi @hvbtup, thanks that is actually very good feedback. I have not considered the use case from a software distributor yet, interesting!