bit-booster.com
bit-booster.com
Hiya ! We're an SCA startup (mergebase.com) and we produce SPDX SBOM for our customers. Would love to put release dates in the SBOM. We have the data! Helps customers...
Very good point! In that example we're using "youngest timestamp among all files inside the jar file downloaded from maven-central" which generally correlates to within 72 hours of the Apache...
You can scan every file for the zip magic-number. If it contains this byte sequence anywhere, then there's a very good chance you've got a zip file. Here's my Java...
@no-identd - his code is a bit different, since he's detecting zlib compression, whereas I am trying to detect zip files (which include an index, whereas zlib compression only compresses...
Because it's best to upgrade to 2.17.0 ! I could change the exit codes for 2.15.0 to 15 and 2.16.0 to 16 - what do you think? Or add an...
I will look into this Github releases thing (never used it before). In the meantime I am creating tags that correspond to each release, so you can use those to...
The "no magic number" warnings are definitely safe to ignore (means the file is not a zip despite its name, and thus cannot end up in Java's classpath). Are you...
Yes, the tool now prints zero bytes to STDOUT if *no bad log4j versions are found*. And exits with exit-code zero (success). You can use "--json" mode if you'd like...
Probably it continues fine, but can you attach the problematic zip just so I can be sure?
There is a new --exclude option available. Could do --exclude=["/dev", "/proc"]. Also, later versions might be fine regardless since the scanner looks at the filename now before attempting to read...