Documentation should explicitly mention that other archive file types are NOT scanned
hvbtup opened this issue · 4 comments
I think the documentation should explicitly mention that only JAR, EAR and WAR files are scanned.
For example, often a rolled out software comes in the form of a ZIP file or RAR, TAR, TAR.GZ (TGZ), TAR.BZ2 or platform-specific files types like an extractable EXE or MSI files.
Other programming languages use ZIP the file format but with a different suffix as an archive format as well, e.g. Python uses the WHL suffix.
Such archive files might contain Java classes as well, probably wrapped in *.JAR archives inside the outer archive.
These file types will not be scanned and I think this should be mentioned.
That's a good point, I will add more details on how it works and what it scans.
@hvbtup Documentation has been updated, let me know if that should cover it and I will close the issue.
I have also added a short rationale why it doesn't scan these other archive formats. I might add .zip later though.
Looks OK for me.
I just stumbled upon this tool today after I wrote a similar tool for internal use on Monday.
In my tool we check the software we delivered, not the software that is running, so the use case is a bit different.