local-spring-vuln-scanner

command module

v0.1.1 Latest Latest Go to latest Published: Mar 31, 2022 License: GPL-3.0 Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hillu/local-spring-vuln-scanner

Links

Open Source Insights

README ¶

Simple local Spring vulnerability scanner

(Written in Go because, you know, "write once, run anywhere.")

This is a simple tool that can be used to find instances of Spring vulnerable to CVE-2022-22965 ("SpringShell") in installations of Java software such as web applications. JAR and WAR archives are inspected and class files that are known to be vulnerable are flagged. The scan happens recursively: WAR files containing WAR files containing JAR files containing vulnerable class files ought to be flagged properly.

The scan tool currently checks for known build artifacts that have been obtained through Maven Central. From-source rebuilds as they are done for Linux distributions may or may not be recognized.

Binaries for x86_64 Windows, Linux, MacOSX for tagged releases are provided via the Releases page.

Using the scanner

$ ./local-spring-vuln-scanner [--verbose] [--quiet] \
    [--exclude /path/to/exclude …] \
	[--scan-network] \
	[--log /path/to/file.log] \
    /path/to/app1 /path/to/app2 …

The --verbose flag will show every .jar and .war file checked, even if no problem is found.

The --quiet flag will supress output except for indicators of a known vulnerability.

The --log flag allows everythig to be written to a log file instead of stdout/stderr.

Use the --exclude flag to exclude subdirectories from being scanned. Can be used multiple times.

The --scan-network flag tells the scanner to search network filesystems (disabled by default). This has not been implemented for Windows.

If class files indicating one of the vulnerabilities are found, messages like the following are printed to standard output:

local-spring-vuln-scanner - a simple local Spring vulnerability scanner

Checking for vulnerabilities: CVE-2022-22965
examining /path/to/spring-boot-0.0.1-SNAPSHOT.jar
indicator for vulnerable component found in /path/to/spring-boot-0.0.1-SNAPSHOT.jar::BOOT-INF/lib/spring-beans-5.3.17.jar (org/springframework/beans/CachedIntrospectionResults.class): CachedIntrospectionResults.class  spring 5.3.0-5.3.17 CVE-2022-22965

Scan finished