palantir/log4j-sniffer

Improve detection mechanism

nmiyake opened this issue · 3 comments

Currently, the program identifies vulnerabilities by matching based on file names and classes. However, this could be improved by analyzing the content to detect cases in which JARs are shaded and/or slightly modified by frameworks such as ProGuard.

Roughly:

  • md5 hashing of entire .class file contents to match against published log4j versions
  • md5 hashing of bytecode instructions within .class files to match shaded classes where the package has been changed but everything else remains the same
  • partial matching of bytecode instructions to handle obfuscation or more aggressive shading where e.g. unused methods are deleted

The first of these is now done, with the second two left to do.

#27 implements the second of these 3.