New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--json option doesn't do anything #335
Comments
EDIT: It works if you put the --json switch after the scan command, but that's not what the help text says when you print it. |
Good find! Thanks for reporting this. That is indeed a very subtle bug, so I'm not surprised we didn't catch this. I'll go in and update the help text docs to reflect this, or maybe make the arguments work in any order. Whichever is easier, probably! |
How do you specify the json path and filename? I encountered issues. File cannot be create (on Linux and windows ) thanks in advance |
I was trying to make the --json flag work anywhere, including AFTER the scan command, which is why the flag is in multiple places in the code. I bet the second flag definition is overwriting the first one. it feels more natural to me to |
Makes sense, but then just update the help text so it's clear and that will be it. Whatever works :) |
This is how I do it for now to scan everything on a server and report only what it found: |
Looks like an outstanding issue in |
Thank you very much! |
@yanickgirouard are you referring to specific help text or the help text in the cli?
|
The cli help from the --help switch |
I think he's saying that it shows the --json flag globally, but the global one doesnt work. That's all. Ideally, both would work. The help text is not the main issue. :) |
That's exactly it. Either make it work for both, or adjust the help text to show the --json switch as a local switch of the scan action. The help currently shows the switch as a global option and the syntax puts it in front of the action. It's just confusing. |
#342 addresses this issue |
As of version 1.3.0 on Linux (log4shell_1.3.0-log4shell_Linux_x86_64), the --json option doesn't change anything in the output. It's not displayed as json at all.
Example:
[root@7810801a658a tmp]# ./log4shell --json scan /usr/share/elasticsearch/lib
1:45PM ??? Identified vulnerable path
cve: CVE-2021-44228
fileName: org/apache/logging/log4j/core/lookup/JndiLookup.class
hash: 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e
path: /usr/share/elasticsearch/lib/log4j-core-2.9.1.jar
severity: 10.0
versionInfo: "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1"
The text was updated successfully, but these errors were encountered: