option to remove problematic classes?

[4001982248998]

Given that the removal of problematic Java classes from files is trivial, it would very much improve this software if it added an option to do so.

zip -q -d $myfile org/apache/logging/log4j/core/net/JndiLookup.class

zip -q -d $myfile org/apache/logging/log4j/core/net/JndiManager.class

[yunzheng]

Hi i'm not sure how high demand there is for this, but personally I would prefer to have this tool "read-only" and to only identify the issue on systems.

I want to avoid the tool breaking something on machines. I'm personally also not a big fan of modifying files, but I did see that this was the general advisory of Apache and I understand this could be easier to fix things faster in production rather than waiting for the vendor to release the proper updates.

Besides that, there could also be edge cases for nested Jar files and might potentially break systems because of that, so I think having this an "finder" only tool is better suited unless there is a high demand for it.

[tjyang]

• How about only generate the new patched version in /tmp dir(or other dir) ?
  - and let the app owner do actual swap and check if app ok using patch .jar in /tmp. This way log4j-finder won't got blamed when switching to new version is not working.