Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--json option doesn't do anything #335

Closed
yanickgirouard opened this issue Dec 16, 2021 · 14 comments
Closed

--json option doesn't do anything #335

yanickgirouard opened this issue Dec 16, 2021 · 14 comments

Comments

@yanickgirouard
Copy link

As of version 1.3.0 on Linux (log4shell_1.3.0-log4shell_Linux_x86_64), the --json option doesn't change anything in the output. It's not displayed as json at all.

Example:

[root@7810801a658a tmp]# ./log4shell --json scan /usr/share/elasticsearch/lib
1:45PM ??? Identified vulnerable path
cve: CVE-2021-44228
fileName: org/apache/logging/log4j/core/lookup/JndiLookup.class
hash: 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e
path: /usr/share/elasticsearch/lib/log4j-core-2.9.1.jar
severity: 10.0
versionInfo: "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1"
@yanickgirouard
Copy link
Author

EDIT: It works if you put the --json switch after the scan command, but that's not what the help text says when you print it.

@freeqaz
Copy link
Member

freeqaz commented Dec 16, 2021

Good find! Thanks for reporting this. That is indeed a very subtle bug, so I'm not surprised we didn't catch this.

I'll go in and update the help text docs to reflect this, or maybe make the arguments work in any order. Whichever is easier, probably!

@OlivierMasit
Copy link

Good find! Thanks for reporting this. That is indeed a very subtle bug, so I'm not surprised we didn't catch this.

I'll go in and update the help text docs to reflect this, or maybe make the arguments work in any order. Whichever is easier, probably!

How do you specify the json path and filename? I encountered issues. File cannot be create (on Linux and windows ) thanks in advance

@factoidforrest
Copy link
Contributor

I was trying to make the --json flag work anywhere, including AFTER the scan command, which is why the flag is in multiple places in the code. I bet the second flag definition is overwriting the first one. it feels more natural to me to
log4shell scan --json
than
log4shell --json scan
which is how it was previously. Didn't want to break anyone so I left both in. Ill see if I can make it work as it is without changing the UX

@yanickgirouard
Copy link
Author

I was trying to make the --json flag work anywhere, including AFTER the scan command, which is why the flag is in multiple places in the code. I bet the second flag definition is overwriting the first one. it feels more natural to me to log4shell scan --json than log4shell --json scan which is how it was previously. Didn't want to break anyone so I left both in. Ill see if I can make it work as it is without changing the UX

Makes sense, but then just update the help text so it's clear and that will be it. Whatever works :)

@yanickgirouard
Copy link
Author

Good find! Thanks for reporting this. That is indeed a very subtle bug, so I'm not surprised we didn't catch this.
I'll go in and update the help text docs to reflect this, or maybe make the arguments work in any order. Whichever is easier, probably!

How do you specify the json path and filename? I encountered issues. File cannot be create (on Linux and windows ) thanks in advance

This is how I do it for now to scan everything on a server and report only what it found: ./log4shell scan --json --output result.json / 2>&1 | grep -v warn

@factoidforrest
Copy link
Contributor

Looks like an outstanding issue in urfave urfave/cli#585
We are working on it

@OlivierMasit
Copy link

Good find! Thanks for reporting this. That is indeed a very subtle bug, so I'm not surprised we didn't catch this.
I'll go in and update the help text docs to reflect this, or maybe make the arguments work in any order. Whichever is easier, probably!

How do you specify the json path and filename? I encountered issues. File cannot be create (on Linux and windows ) thanks in advance

This is how I do it for now to scan everything on a server and report only what it found: ./log4shell scan --json --output result.json / 2>&1 | grep -v warn

Thank you very much!

@breadchris
Copy link
Contributor

@yanickgirouard are you referring to specific help text or the help text in the cli?

Makes sense, but then just update the help text so it's clear and that will be it. Whatever works :)

@yanickgirouard
Copy link
Author

@yanickgirouard are you referring to specific help text or the help text in the cli?

Makes sense, but then just update the help text so it's clear and that will be it. Whatever works :)

The cli help from the --help switch

@factoidforrest
Copy link
Contributor

factoidforrest commented Dec 16, 2021
edited

I think he's saying that it shows the --json flag globally, but the global one doesnt work. That's all. Ideally, both would work. The help text is not the main issue. :)

@yanickgirouard
Copy link
Author

I think he's saying that it shows the --json flag globally, but the global one doesnt work. That's all. Ideally, both would work. The help text is not the main issue. :)

That's exactly it. Either make it work for both, or adjust the help text to show the --json switch as a local switch of the scan action. The help currently shows the switch as a global option and the syntax puts it in front of the action. It's just confusing.

@breadchris
Copy link
Contributor

#342 addresses this issue

@breadchris
Copy link
Contributor

Latest release https://github.com/lunasec-io/lunasec/releases/tag/v1.4.0-log4shell

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@factoidforrest @breadchris @freeqaz @yanickgirouard @OlivierMasit