add --no-follow-symlinks

tools/log4shell/README.md

@@ -48,6 +48,13 @@ You can disable these by passing `--ignore-warnings`.
 $ log4shell scan --ignore-warnings <dir1> <dir2> ...
 ```
 
+It can be common to run into symlink'ed jar files, and by default they are resolved. To not have this happen
+use the `--no-follow-symlinks` flag.
+
+```shell
+$ log4shell scan --no-follow-symlinks <dir1> <dir2> ...
+```
+
 You may exclude subdirectories while searching by using `--exclude`. This can be used multiple times in the command to
 exclude multiple subdirectories.
 

tools/log4shell/commands/analyze.go

@@ -28,7 +28,7 @@ func AnalyzeCommand(c *cli.Context, globalBoolFlags map[string]bool) error {
 
 	processArchiveFile := analyze.ProcessArchiveFile
 
-	scanner := scan.NewLog4jDirectoryScanner([]string{}, false, processArchiveFile)
+	scanner := scan.NewLog4jDirectoryScanner([]string{}, false, false, processArchiveFile)
 
 	scannerFindings := scanner.Scan(searchDirs)
 

tools/log4shell/commands/scan.go

@@ -23,7 +23,11 @@ import (
 	"github.com/urfave/cli/v2"
 )
 
-func loadHashLookup(log4jLibraryHashes []byte, versionHashes string, onlyScanArchives bool) (hashLookup types.VulnerableHashLookup, err error) {
+func loadHashLookup(
+	log4jLibraryHashes []byte,
+	versionHashes string,
+	onlyScanArchives bool,
+) (hashLookup types.VulnerableHashLookup, err error) {
 	if versionHashes != "" {
 		hashLookup, err = scan.LoadVersionHashesFromFile(versionHashes)
 		if err != nil {
@@ -59,6 +63,7 @@ func ScanCommand(c *cli.Context, globalBoolFlags map[string]bool, log4jLibraryHa
 	onlyScanArchives := c.Bool("archives")
 	excludeDirs := c.StringSlice("exclude")
 	versionHashes := c.String("version-hashes")
+	noFollowSymlinks := c.Bool("no-follow-symlinks")
 
 	hashLookup, err := loadHashLookup(log4jLibraryHashes, versionHashes, onlyScanArchives)
 	if err != nil {
@@ -67,7 +72,8 @@ func ScanCommand(c *cli.Context, globalBoolFlags map[string]bool, log4jLibraryHa
 
 	processArchiveFile := scan.IdentifyPotentiallyVulnerableFiles(scanLog4j1, hashLookup)
 
-	scanner := scan.NewLog4jDirectoryScanner(excludeDirs, onlyScanArchives, processArchiveFile)
+	scanner := scan.NewLog4jDirectoryScanner(
+		excludeDirs, onlyScanArchives, noFollowSymlinks, processArchiveFile)
 
 	scannerFindings := scanner.Scan(searchDirs)
 

tools/log4shell/main.go

@@ -120,6 +120,10 @@ func main() {
 						Name:  "ignore-warnings",
 						Usage: "Do not display warnings, only show findings.",
 					},
+					&cli.BoolFlag{
+						Name:  "no-follow-symlinks",
+						Usage: "Disable the resolution of symlinks while scanning. Note: symlinks might resolve to files outside of the included directories and so this option might be useful if you strictly want to search in said directories.",
+					},
 					&cli.BoolFlag{
 						Name:  "json",
 						Usage: "Display findings in json format.",

tools/log4shell/scan/scan.go

@@ -35,13 +35,20 @@ type Log4jVulnerableDependencyScanner interface {
 type Log4jDirectoryScanner struct {
 	excludeDirs []string
 	onlyScanArchives bool
+	noFollowSymlinks bool
 	processArchiveFile types.ProcessArchiveFile
 }
 
-func NewLog4jDirectoryScanner(excludeDirs []string, onlyScanArchives bool, processArchiveFile types.ProcessArchiveFile) Log4jVulnerableDependencyScanner {
+func NewLog4jDirectoryScanner(
+	excludeDirs []string,
+	onlyScanArchives bool,
+	noFollowSymlinks bool,
+	processArchiveFile types.ProcessArchiveFile,
+) Log4jVulnerableDependencyScanner {
 	return &Log4jDirectoryScanner{
 		excludeDirs: excludeDirs,
 		onlyScanArchives: onlyScanArchives,
+		noFollowSymlinks: noFollowSymlinks,
 		processArchiveFile: processArchiveFile,
 	}
 }
@@ -79,7 +86,7 @@ func (s *Log4jDirectoryScanner) Scan(
 			return
 		}
 
-		if info.Mode() & os.ModeSymlink != 0 {
+		if !s.noFollowSymlinks && info.Mode() & os.ModeSymlink != 0 {
 			// overwrite path and info with the resolved symlink file values
 			path, info, err = util.ResolveSymlinkFilePathAndInfo(path)
 			if err != nil {