Report CVEs identified

Updates jar.Parse to return the specific CVEs identified during the
scan.

To ensure that refactoring of detection logic is correct, I've tested
this on a corpus of all log4j2 releases through 2.16.0 and verified
that there are no false positives or false negatives.

Author: singlethink

jar/jar.go

@@ -48,6 +48,18 @@ const (
 	jndiLookupClass  = "JndiLookup.class"
 )
 
+// CVEs detected. We define them as constants to catch typos.
+const (
+	cve_2021_44228 cveID = "CVE-2021-44228" // JNDI
+	cve_2021_45046 cveID = "CVE-2021-45046" // Thread Context Lookup
+)
+
+type cveID string
+
+func (id cveID) String() string {
+	return string(id)
+}
+
 // Parser allows tuning paramters of a vulnerable log4j scan.  The
 // zero value provides reasonable defaults.
 type Parser struct {
@@ -101,8 +113,15 @@ func (p *Parser) Parse(r *zip.Reader) (*Report, error) {
 	if err := c.checkJAR(r, 0, 0, p.Name); err != nil {
 		return nil, fmt.Errorf("failed to check JAR: %v", err)
 	}
+
+	var vs []*Vuln
+	for _, id := range c.cves() {
+		vs = append(vs, &Vuln{CVE: id.String()})
+	}
+
 	return &Report{
 		Vulnerable: c.bad(),
+		Vulns:      vs,
 		MainClass:  c.mainClass,
 		Version:    c.version,
 	}, nil
@@ -116,12 +135,21 @@ type Report struct {
 	// Note that this package considers the 2.15.0 versions vulnerable.
 	Vulnerable bool
 
+	// Vulns gives details on the individual vulnerabilities detected.
+	Vulns []*Vuln
+
 	// MainClass and Version are information taken from the MANIFEST.MF file.
 	// Version indicates the version of JAR, NOT the log4j package.
 	MainClass string
 	Version   string
 }
 
+// Vuln reports details of a vulnerability detected.
+type Vuln struct {
+	// CVE is the CVE ID of the vulnerability.
+	CVE string
+}
+
 // Parse traverses a JAR file, attempting to detect any usages of
 // vulnerable log4j versions.
 func Parse(r *zip.Reader) (*Report, error) {
@@ -223,29 +251,55 @@ func (c *checker) done() bool {
 	return c.bad() && c.mainClass != ""
 }
 
-func (c *checker) bad() bool {
-	// Care must be taken in the formulae below with respect to the
-	// !c.hasIsJndiEnabled clause.  It is satisfied by default until
-	// JndiManager.class is encountered.  To prevent early termination of a
-	// scan with an incorrect result, we have to ensure that we have already
-	// encountered JndiManager.class (e.g. hasJndiManager*) or we have
-	// encountered positive evidence that it will be absent
-	// (i.e. log4j <2.1).
-
+// Vulnerability signatures.
+// Note: Care must be taken in the formulae below with respect to the
+// !c.hasIsJndiEnabled clause.  It is satisfied by default until
+// JndiManager.class is encountered.  To prevent early termination of
+// a scan with an incorrect result, we have to ensure that we have
+// already encountered JndiManager.class (e.g. hasJndiManager*) or we
+// have encountered positive evidence that it will be absent
+// (i.e. log4j <2.1).
+var sigs = map[cveID]func(*checker) bool{
 	// CVE-2021-44228 - Initial log4shell vulnerability affecting
 	// Log4j2 2.0-beta9 through 2.12.1 (inclusive, 2.12.2 is not
 	// vulnerable) and 2.13.0 through 2.15.0 (exclusive).
-	vulnerablePre215 := c.hasLookupClass && // unpatched >=2.0-beta9 and
-		(c.hasInitialContext || // <2.1
-			c.hasJndiManagerPre215) && // >=2.1 && <2.15 and
-		!c.hasIsJndiEnabled // <2.16 && !2.12.2
+	cve_2021_44228: func(c *checker) bool {
+		return c.hasLookupClass && // unpatched >=2.0-beta9 and
+			(c.hasInitialContext || // <2.1
+				c.hasJndiManagerPre215) && // >=2.1 && <2.15 and
+			!c.hasIsJndiEnabled // <2.16 && !2.12.2
+	},
+
+	// CVE-2021-45046 - Thread Context Lookup Pattern
+	// vulnerability affects all Log4j2 versions >=2.0-beta9 and
+	// <=2.15.0, except for 2.12.2.
+	// See: https://logging.apache.org/log4j/2.x/security.html
+	cve_2021_45046: func(c *checker) bool {
+		return c.hasLookupClass && // unpatched >=2.0-beta9 and
+			(c.hasInitialContext || // <2.1
+				c.hasJndiManagerClass) && // >=2.1 and
+			!c.hasIsJndiEnabled // <2.16 && !2.12.2
+	},
+}
 
-	// CVE-2021-45046 - Log4j2 2.15.0
-	vulnerable215 := c.hasLookupClass && // unpatched >=2.0-beta9 and
-		c.hasJndiManagerClass && // >=2.1 and
-		!c.hasIsJndiEnabled // <2.16 && !2.12.2
+func (c *checker) bad() bool {
+	for _, s := range sigs {
+		if s(c) {
+			return true
+		}
+	}
+
+	return false
+}
 
-	return vulnerablePre215 || vulnerable215
+func (c *checker) cves() []cveID {
+	var ids []cveID
+	for id, sig := range sigs {
+		if sig(c) {
+			ids = append(ids, id)
+		}
+	}
+	return ids
 }
 
 const bufSize = 4 << 10 // 4 KiB

jar/jar_test.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"io"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -33,54 +34,181 @@ func TestParse(t *testing.T) {
 	testCases := []struct {
 		filename string
 		wantBad  bool
+		wantCVEs []cveID
 	}{
-		{"400mb.jar", false},
-		{"400mb_jar_in_jar.jar", false},
-		{"arara.jar", true},
-		{"arara.jar.patched", false},
-		{"arara.signed.jar", true},
-		{"arara.signed.jar.patched", false},
-		{"log4j-core-2.0-beta9.jar", true},
-		{"log4j-core-2.12.1.jar", true},
-		{"log4j-core-2.12.1.jar.patched", false},
+		{
+			filename: "400mb.jar",
+			wantBad:  false,
+		},
+		{
+			filename: "400mb_jar_in_jar.jar",
+			wantBad:  false,
+		},
+		{
+			filename: "arara.jar",
+			wantBad:  true,
+			wantCVEs: []cveID{cve_2021_44228, cve_2021_45046},
+		},
+		{
+			filename: "arara.jar.patched",
+			wantBad:  false,
+		},
+		{
+			filename: "arara.signed.jar",
+			wantBad:  true,
+			wantCVEs: []cveID{cve_2021_44228, cve_2021_45046},
+		},
+		{
+			filename: "arara.signed.jar.patched",
+			wantBad:  false,
+		},
+		{
+			filename: "log4j-core-2.0-beta9.jar",
+			wantBad:  true,
+			wantCVEs: []cveID{cve_2021_44228, cve_2021_45046},
+		},
+		{
+			filename: "log4j-core-2.12.1.jar",
+			wantBad:  true,
+			wantCVEs: []cveID{cve_2021_44228, cve_2021_45046},
+		},
+		{
+			filename: "log4j-core-2.12.1.jar.patched",
+			wantBad:  false,
+		},
 		// log4j 2.12.2 is not affected by log4shell.
 		// See: https://logging.apache.org/log4j/2.x/security.html
-		{"log4j-core-2.12.2.jar", false},
-		{"log4j-core-2.14.0.jar", true},
-		{"log4j-core-2.14.0.jar.patched", false},
-		{"log4j-core-2.15.0.jar", true},
-		{"log4j-core-2.15.0.jar.patched", false},
-		{"log4j-core-2.16.0.jar", false},
-		{"log4j-core-2.1.jar", true},
-		{"log4j-core-2.1.jar.patched", false},
-		{"safe1.jar", false},
-		{"safe1.signed.jar", false},
+		{
+			filename: "log4j-core-2.12.2.jar",
+			wantBad:  false,
+		},
+		{
+			filename: "log4j-core-2.14.0.jar",
+			wantBad:  true,
+			wantCVEs: []cveID{cve_2021_44228, cve_2021_45046},
+		},
+		{
+			filename: "log4j-core-2.14.0.jar.patched",
+			wantBad:  false,
+		},
+		{
+			filename: "log4j-core-2.15.0.jar",
+			wantBad:  true,
+			wantCVEs: []cveID{cve_2021_45046},
+		},
+		{
+			filename: "log4j-core-2.15.0.jar.patched",
+			wantBad:  false,
+		},
+		{
+			filename: "log4j-core-2.16.0.jar",
+			wantBad:  false,
+		},
+		{
+			filename: "log4j-core-2.1.jar",
+			wantBad:  true,
+			wantCVEs: []cveID{cve_2021_44228, cve_2021_45046},
+		},
+		{
+			filename: "log4j-core-2.1.jar.patched",
+			wantBad:  false,
+		},
+		{
+			filename: "safe1.jar",
+			wantBad:  false,
+		},
+		{
+			filename: "safe1.signed.jar",
+			wantBad:  false,
+		},
 		// Archive contains a malformed directory that causes archive/zip to
 		// return an error.
 		// See https://go.dev/issues/50390
-		{"selenium-api-3.141.59.jar", false},
+		{
+			filename: "selenium-api-3.141.59.jar",
+			wantBad:  false,
+		},
 		// Test case where it contains a JndiLookupOther.class file that shouldn't be detected as vulnerable
-		{"similarbutnotvuln.jar", false},
-		{"vuln-class.jar", true},
-		{"vuln-class-executable", true},
-		{"vuln-class.jar.patched", false},
-		{"good_jar_in_jar.jar", false},
-		{"good_jar_in_jar_in_jar.jar", false},
-		{"bad_jar_in_jar.jar", true},
-		{"bad_jar_in_jar.jar.patched", false},
-		{"bad_jar_in_jar_in_jar.jar", true},
-		{"bad_jar_in_jar_in_jar.jar.patched", false},
-		{"bad_jar_with_invalid_jar.jar", true},
-		{"bad_jar_with_invalid_jar.jar.patched", false},
-		{"good_jar_with_invalid_jar.jar", false},
-		{"helloworld-executable", false},
-		{"helloworld.jar", false},
-		{"helloworld.signed.jar", false},
+		{
+			filename: "similarbutnotvuln.jar",
+			wantBad:  false,
+		},
+		{
+			filename: "vuln-class.jar",
+			wantBad:  true,
+			wantCVEs: []cveID{cve_2021_44228, cve_2021_45046},
+		},
+		{
+			filename: "vuln-class-executable",
+			wantBad:  true,
+			wantCVEs: []cveID{cve_2021_44228, cve_2021_45046},
+		},
+		{
+			filename: "vuln-class.jar.patched",
+			wantBad:  false,
+		},
+		{
+			filename: "good_jar_in_jar.jar",
+			wantBad:  false,
+		},
+		{
+			filename: "good_jar_in_jar_in_jar.jar",
+			wantBad:  false,
+		},
+		{
+			filename: "bad_jar_in_jar.jar",
+			wantBad:  true,
+			wantCVEs: []cveID{cve_2021_44228, cve_2021_45046},
+		},
+		{
+			filename: "bad_jar_in_jar.jar.patched",
+			wantBad:  false,
+		},
+		{
+			filename: "bad_jar_in_jar_in_jar.jar",
+			wantBad:  true,
+			wantCVEs: []cveID{cve_2021_44228, cve_2021_45046},
+		},
+		{
+			filename: "bad_jar_in_jar_in_jar.jar.patched",
+			wantBad:  false,
+		},
+		{
+			filename: "bad_jar_with_invalid_jar.jar",
+			wantBad:  true,
+			wantCVEs: []cveID{cve_2021_44228, cve_2021_45046},
+		},
+		{
+			filename: "bad_jar_with_invalid_jar.jar.patched",
+			wantBad:  false,
+		},
+		{
+			filename: "good_jar_with_invalid_jar.jar",
+			wantBad:  false,
+		},
+		{
+			filename: "helloworld-executable",
+			wantBad:  false,
+		},
+		{
+			filename: "helloworld.jar",
+			wantBad:  false,
+		},
+		{
+			filename: "helloworld.signed.jar",
+			wantBad:  false,
+		},
 
 		// Ensure robustness to zip bombs from
 		// https://www.bamsoftware.com/hacks/zipbomb/.
-		{"zipbombs/zbsm_in_jar.jar", false},
-		{"zipbombs/zbsm.jar", false},
+		{
+			filename: "zipbombs/zbsm_in_jar.jar",
+			wantBad:  false,
+		},
+		{
+			filename: "zipbombs/zbsm.jar",
+			wantBad:  false,
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.filename, func(t *testing.T) {
@@ -92,11 +220,15 @@ func TestParse(t *testing.T) {
 			defer zr.Close()
 			report, err := Parse(&zr.Reader)
 			if err != nil {
-				t.Fatalf("Scan() returned an unexpected error, got %v, want nil", err)
+				t.Fatalf("Parse() returned an unexpected error, got %v, want nil", err)
 			}
 			got := report.Vulnerable
 			if tc.wantBad != got {
-				t.Errorf("checkJAR() returned unexpected value, got bad=%t, want bad=%t", got, tc.wantBad)
+				t.Errorf("Parse() returned unexpected value, got bad=%t, want bad=%t", got, tc.wantBad)
+			}
+
+			if diff := cmp.Diff(tc.wantCVEs, vulnIDs(report.Vulns), cmpopts.EquateEmpty(), cmpopts.SortSlices(cveIDLess)); diff != "" {
+				t.Errorf("Parse() returned unexpected Vulns, diff (-want +got):\n%s", diff)
 			}
 		})
 	}
@@ -417,3 +549,18 @@ func (f *faultReader) Read(b []byte) (int, error) {
 	}
 	return n, err
 }
+
+// vulnIDs extracts the cveIDs from an array of Vulns.
+func vulnIDs(vs []*Vuln) []cveID {
+	var ids []cveID
+	for _, v := range vs {
+		ids = append(ids, cveID(v.CVE))
+	}
+	return ids
+}
+
+// cveIDLess returns true if a comes lexically before b.  It can be
+// used with cmpopts.SortSlices.
+func cveIDLess(a, b cveID) bool {
+	return strings.Compare(a.String(), b.String()) < 0
+}