Skip to content

Commit

Permalink
engine/java:chore - updating JS-JAVA-150 to match log4j lower than 2.…
Browse files Browse the repository at this point in the history 
…16.0 (#883)

Updated rule HS-JAVA-150 to match log4j when it's lower than 2.16.0. Also made a improvement in regex to avoid false positives with futures version like 3.0.0.

Signed-off-by: Nathan Martins <nathan.martins@zup.com.br>
(cherry picked from commit 6854a48)
  • Loading branch information
@nathanmartinszup
nathanmartinszup committed Dec 17, 2021
1 parent 41f4a69 commit 36c5efc
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions internal/services/engines/java/rules.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2569,17 +2569,17 @@ func NewVulnerableRemoteCodeInjectionApacheLog4j() text.TextRule {
Metadata: engine.Metadata{
ID: "HS-JAVA-150",
Name: "Remote code injection Apache Log4j",
Description: "Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. For more information checkout the CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) advisory.",
Description: "Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. For more information checkout the CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) and CVE-2021-45046 (https://nvd.nist.gov/vuln/detail/CVE-2021-45046) advisories.",
Severity: severities.Critical.ToString(),
Confidence: confidence.Medium.ToString(),
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
regexp.MustCompile(`compile.*group:.*org\.apache\.logging\.log4j.*name:.*log4j.*version:.*(('|")((2\.([0-9]\.|1[0-4]))|(1\.))).*('|")`),
regexp.MustCompile(`compile.*log4j.*(:((2\.([0-9]\.|1[0-4]))|(1\.))).*('|")`),
regexp.MustCompile(`<groupId>(.*|\n).*org\.apache\.logging\.log4j.*(.*|\n).*<artifactId>.*log4j.*</artifactId>(.*|\n)*(version>((2\.([0-9]\.|1[0-4]))|(1\.)))(.*|\n)*</version>`),
regexp.MustCompile(`<dependency.*org.*org\.apache\.logging\.log4j.*name.*log4j.*rev.*((2\.([0-9]\.|1[0-4]))|(1\.)).*/>`),
regexp.MustCompile(`<(log4j2|log4j)\.version>.*((2\.([0-9]\.|1[0-4]))|(1\.)).*</(log4j2|log4j)\.version>`),
regexp.MustCompile(`compile.*group:.*org\.apache\.logging\.log4j.*name:.*log4j.*version:.*(('|")(2\.([0-9]\.|1[0-5]))|([0-1]\.[0-9]+\.[0-9]+)).*('|")`),
regexp.MustCompile(`compile.*log4j.*(:((2\.([0-9]\.|1[0-5]))|([0-1]\.[0-9]+\.[0-9]+))).*('|")`),
regexp.MustCompile(`<groupId>(.*|\n).*org\.apache\.logging\.log4j.*(.*|\n).*<artifactId>.*log4j.*</artifactId>(.*|\n)*(version>((2\.([0-9]\.|1[0-5]))|([0-1]\.[0-9]+\.[0-9]+)))(.*|\n)*</version>`),
regexp.MustCompile(`<dependency.*org.*org\.apache\.logging\.log4j.*name.*log4j.*rev.*(2\.([0-9]\.|1[0-5]))|([0-1]\.[0-9]+\.[0-9]+).*/>`),
regexp.MustCompile(`<(log4j2|log4j)\.version>.*(2\.([0-9]\.|1[0-5]))|([0-1]\.[0-9]+\.[0-9]+).*</(log4j2|log4j)\.version>`),
},
}
}

0 comments on commit 36c5efc

Please sign in to comment.