implemented scanning for Spring CVEs CVE-2022-22963 and CVE-2022-22965.

README.md

@@ -6,16 +6,16 @@ log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerabilit
 You can integrate log4j2-scan with [Logpresso Watch](https://logpresso.watch) service for reporting and patch management. Visit https://logpresso.watch for details.
 
 ### Download
-* [log4j2-scan 3.0.1 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-win64.7z)
-* [log4j2-scan 3.0.1 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-win64.zip)
+* [log4j2-scan 3.1.0 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.1.0/logpresso-log4j2-scan-3.1.0-win64.7z)
+* [log4j2-scan 3.1.0 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.1.0/logpresso-log4j2-scan-3.1.0-win64.zip)
   * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.  
   * 7zip is available from www.7zip.org, and is open source and free.
-* [log4j2-scan 3.0.1 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-linux.tar.gz)
-* [log4j2-scan 3.0.1 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-linux-aarch64.tar.gz)
+* [log4j2-scan 3.1.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.1.0/logpresso-log4j2-scan-3.1.0-linux.tar.gz)
+* [log4j2-scan 3.1.0 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.1.0/logpresso-log4j2-scan-3.1.0-linux-aarch64.tar.gz)
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 3.0.1 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-darwin.zip)
-* [log4j2-scan 3.0.1 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1.jar)
+* [log4j2-scan 3.1.0 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.1.0/logpresso-log4j2-scan-3.1.0-darwin.zip)
+* [log4j2-scan 3.1.0 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.1.0/logpresso-log4j2-scan-3.1.0.jar)
 
 ### Build
 * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
@@ -46,7 +46,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress
 
 Usage
 ```
-Logpresso CVE-2021-44228 Vulnerability Scanner 3.0.1 (2022-02-13)
+Logpresso CVE-2021-44228 Vulnerability Scanner 3.1.0 (2022-02-13)
 Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
 
 -f [config_file_path]
@@ -56,6 +56,8 @@ Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
         Enables scanning for log4j 1 versions.
 --scan-logback
         Enables scanning for logback CVE-2021-42550.
+--scan-spring
+        Enables scanning for Spring CVE-2022-22963 and CVE-2022-22965.
 --scan-zip
         Scan also .zip extension files. This option may slow down scanning.
 --zip-charset
@@ -148,7 +150,7 @@ On Linux
 ```
 On UNIX (AIX, Solaris, and so on)
 ```
-java -jar logpresso-log4j2-scan-3.0.1.jar [--fix] target_path
+java -jar logpresso-log4j2-scan-3.1.0.jar [--fix] target_path
 ```
 
 If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. All .bak files are archived into the single zip file which is named by `log4j2_scan_backup_yyyyMMdd_HHmmss.zip`, then deleted safely. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. You can easily restore original vulnerable JAR files using `--restore` option.

pom.xml

@@ -6,7 +6,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.logpresso</groupId>
 	<artifactId>log4j2-scanner</artifactId>
-	<version>3.0.1</version>
+	<version>3.1.0</version>
 	<packaging>jar</packaging>
 	<name>Logpresso Log4j2 Scanner</name>
 
@@ -81,6 +81,36 @@
 				</executions>
 			</plugin>
 		</plugins>
+		<pluginManagement>
+			<plugins>
+				<plugin>
+					<groupId>org.eclipse.m2e</groupId>
+					<artifactId>lifecycle-mapping</artifactId>
+					<version>1.0.0</version>
+					<configuration>
+						<lifecycleMappingMetadata>
+							<pluginExecutions>
+								<pluginExecution>
+									<pluginExecutionFilter>
+										<groupId>org.codehaus.mojo</groupId>
+										<artifactId>flatten-maven-plugin</artifactId>
+										<versionRange>[1.0.0,)</versionRange>
+										<goals>
+											<goal>flatten</goal>
+										</goals>
+									</pluginExecutionFilter>
+									<action>
+										<execute>
+											<runOnIncremental>false</runOnIncremental>
+										</execute>
+									</action>
+								</pluginExecution>
+							</pluginExecutions>
+						</lifecycleMappingMetadata>
+					</configuration>
+				</plugin>
+			</plugins>
+		</pluginManagement>
 	</build>
 
 	<profiles>
@@ -110,5 +140,4 @@
 			</build>
 		</profile>
 	</profiles>
-
 </project>

src/main/java/com/logpresso/scanner/Configuration.java

@@ -36,6 +36,7 @@ public class Configuration {
 	private boolean reportPatch = false;
 	private boolean scanForLog4j1 = false;
 	private boolean scanForLogback = false;
+	private boolean scanForSpring = false;
 	private boolean noEmptyReport = false;
 	private boolean oldExitCode = false;
 	private Charset zipCharset = null;
@@ -75,6 +76,8 @@ public static void pringUsage() {
 		System.out.println("\tEnables scanning for log4j 1 versions.");
 		System.out.println("--scan-logback");
 		System.out.println("\tEnables scanning for logback CVE-2021-42550.");
+		System.out.println("--scan-spring");
+		System.out.println("\tEnables scanning for Spring CVE-2022-22963 and CVE-2022-22965.");
 		System.out.println("--scan-zip");
 		System.out.println("\tScan also .zip extension files. This option may slow down scanning.");
 		System.out.println("--zip-charset");
@@ -217,6 +220,8 @@ public static Configuration parseArguments(String[] args) throws Exception {
 				c.scanForLog4j1 = true;
 			} else if (args[i].equals("--scan-logback")) {
 				c.scanForLogback = true;
+			} else if (args[i].equals("--scan-spring")) {
+				c.scanForSpring = true;
 			} else if (args[i].equals("--help") || args[i].equals("-h")) {
 				pringUsage();
 				System.exit(-1);
@@ -519,6 +524,9 @@ private static void rejectInvalidOptionForRestore(Configuration c) {
 		if (c.isScanForLogback())
 			throw new IllegalArgumentException("Cannot use --restore option with --scan-logback option.");
 
+		if (c.isScanForSpring())
+			throw new IllegalArgumentException("Cannot use --restore option with --scan-spring option.");
+
 		if (c.isFix())
 			throw new IllegalArgumentException("Cannot use --restore option with --fix option.");
 
@@ -692,6 +700,10 @@ public boolean isScanForLogback() {
 		return scanForLogback;
 	}
 
+	public boolean isScanForSpring() {
+		return this.scanForSpring;
+	}
+
 	public boolean isNoEmptyReport() {
 		return noEmptyReport;
 	}

src/main/java/com/logpresso/scanner/DetectResult.java

@@ -6,6 +6,7 @@ public class DetectResult {
 	private boolean potentiallyVulnerableLog4j2 = false;
 	private boolean potentiallyVulnerableLog4j1 = false;
 	private boolean potentiallyVulnerableLogback = false;
+	private boolean potentiallyVulnerableSpring = false;
 	private boolean nestedJar = false;
 
 	public void merge(DetectResult result) {
@@ -14,6 +15,7 @@ public void merge(DetectResult result) {
 		potentiallyVulnerableLog4j1 |= result.isPotentiallyVulnerableLog4j1();
 		potentiallyVulnerableLog4j2 |= result.isPotentiallyVulnerableLog4j2();
 		potentiallyVulnerableLogback |= result.isPotentiallyVulnerableLogback();
+		potentiallyVulnerableSpring |= result.isPotentiallyVulnerableSpring();
 		nestedJar = true;
 	}
 
@@ -57,6 +59,14 @@ public void setPotentiallyVulnerableLogback() {
 		this.potentiallyVulnerableLogback = true;
 	}
 
+	public boolean isPotentiallyVulnerableSpring() {
+		return this.potentiallyVulnerableSpring;
+	}
+
+	public void setPotentiallyVulnerableSpring() {
+		this.potentiallyVulnerableSpring = true;
+	}
+
 	public boolean hasNestedJar() {
 		return nestedJar;
 	}
@@ -76,11 +86,11 @@ else if (isPotentiallyVulnerable())
 	}
 
 	public boolean isPotentiallyVulnerable() {
-		return potentiallyVulnerableLog4j2 || potentiallyVulnerableLog4j1 || potentiallyVulnerableLogback;
+		return potentiallyVulnerableLog4j2 || potentiallyVulnerableLog4j1 || potentiallyVulnerableLogback || potentiallyVulnerableSpring;
 	}
 
 	public boolean isFixRequired() {
 		// Don't touch potentially vulnerable log4j2
-		return vulnerable || potentiallyVulnerableLog4j1 || potentiallyVulnerableLogback;
+		return vulnerable || potentiallyVulnerableLog4j1 || potentiallyVulnerableLogback || potentiallyVulnerableSpring;
 	}
 }