log4j-remediation-tools icon indicating copy to clipboard operation
log4j-remediation-tools copied to clipboard

Published 20 hours ago verified publisher icon stripe

Error trying to execute confirm-vulnerabilities

Open eRaMvn opened this issue 2 years ago • 0 comments

Hi, thank you for creating this tool. I had errors when I tried to run

java -jar target/is-it-vulnerable-1.0-SNAPSHOT.jar

The error is

18:38:14 ❯ java -jar target/is-it-vulnerable-1.0-SNAPSHOT.jar 
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.stripe.log4j.isitvuln.ProcessInfo (file:/Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar) to field sun.management.RuntimeImpl.jvm
WARNING: Please consider reporting this to the maintainers of com.stripe.log4j.isitvuln.ProcessInfo
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Will use this jar for agent: /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar
date,host,tool,version,pid,path,jre,log4j,log4j version,formatMsgNoLookups,ldap trustURLCodebase,rmi trustURLCodebase,cosnaming trustURLCodebase,exploited

When I tried --illegal-access=permit, same problem. When I tried --illegal-access=warn, I got

18:38:33 ❯ java --illegal-access=warn -jar target/is-it-vulnerable-1.0-SNAPSHOT.jar
WARNING: Illegal reflective access by com.stripe.log4j.isitvuln.ProcessInfo (file:/Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar) to field sun.management.RuntimeImpl.jvm
WARNING: Illegal reflective access by com.stripe.log4j.isitvuln.ProcessInfo (file:/Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar) to method sun.management.VMManagementImpl.getProcessId()
Will use this jar for agent: /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar
date,host,tool,version,pid,path,jre,log4j,log4j version,formatMsgNoLookups,ldap trustURLCodebase,rmi trustURLCodebase,cosnaming trustURLCodebase,exploited

I was able to build with maven without any issue

[INFO] Replacing original artifact with shaded artifact.
[INFO] Replacing /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar with /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT-shaded.jar
[INFO] Dependency-reduced POM written at: /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/dependency-reduced-pom.xml
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.659 s
[INFO] Finished at: 2021-12-17T18:15:41-08:00
[INFO] ------------------------------------------------------------------------

I am not sure if I am missing anything.

Thank you

eRaMvn avatar Dec 18 '21 02:12 eRaMvn