spring4shell-detect

command module

v1.0.0 Latest Latest Go to latest Published: Mar 31, 2022 License: MIT Imports: 2 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/whitesource/spring4shell-detect

Links

Open Source Insights

README ¶

Spring4Shell Detect

WhiteSource spring4shell Detect is a free CLI tool that quickly scans your projects to find vulnerable Spring4shell versions containing the following known CVEs:

CVE-2022-22963
CVE-2022-22965

It provides the exact path to direct and indirect dependencies, along with the fixed version for speedy remediation.

The supported packages managers are:

gradle
maven
bundler

In addition, the tool will search for vulnerable files with the .jar,.gem extensions.

Prerequisites:

Download the spring4shell-detect binary based on your OS platform (see installation steps below)

NOTE

For mac users, if the following message appears: "spring4shell-detect can't be opened because Apple cannot check it for malicious software", please follow the steps described here
The relevant binaries must be installed for the scan to work, i.e:
- gradle if the scanned project is a gradle project (contains a settings.gradle or a build.gradle file)
- mvn if the scanned project is a maven project (contains a pom.xml file)
- ruby/jruby and gem/jgem if the scanned project is a bundler project (contains a Gemfile.lock/gems.locked file)
Building the projects before scanning will improve scan time and reduce potential scan errors
- maven projects must be built prior to scanning, e.g. with the following command:
```
mvn install
```
- bundler projects must be built prior to scanning, e.g. with the following command:
```
jbundler install
```
- It is not necessary to run gradle build prior to scanning a gradle project, but that will greatly decrease the scan time

Usage

In order to scan your project, simply run the following command:

spring4shell-detect scan -d PROJECT_DIR

The folder can include source code that uses supported package managers in the project, as well binaries with the supported extensions mentioned above. It may error if it's run in a location which has protected folders it cannot access, such as Windows system folders.

Installation

Linux

ARCH=amd64 # or ARCH=arm64
wget "https://github.com/whitesource/spring4shell-detect/releases/latest/download/spring4shell-detect-1.0.0-linux-$ARCH.tar.gz"
tar -xzvf spring4shell-detect-1.0.0-linux-$ARCH.tar.gz
chmod +x spring4shell-detect
./spring4shell-detect -h

Mac

ARCH=amd64 # or ARCH=arm64 
wget "https://github.com/whitesource/spring4shell-detect/releases/latest/download/spring4shell-detect-1.0.0-darwin-$ARCH.tar.gz"
tar -xzvf spring4shell-detect-1.0.0-darwin-$ARCH.tar.gz
chmod +x spring4shell-detect
./spring4shell-detect -h

Windows

Invoke-WebRequest -Uri "https://github.com/whitesource/spring4shell-detect/releases/latest/download/spring4shell-detect-1.0.0-windows-amd64.zip" -OutFile "spring4shell-detect.zip"
Expand-Archive -LiteralPath 'spring4shell-detect.zip'
cd spring4shell-detect
.\spring4shell-detect.exe -h

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd
clioptions
clioptions/settings
scan
util
fs
match
hash
operations
fs
gradle
maven
ruby
records
screening
fs
gradle
maven
ruby
supplements
utils
exec

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL