Yang, BongYeol (xeraph)

@markus8899 Happy to hear that. :D

@markus8899 Scanner does not fix logback. I cannot ensure that it is safe to remove `ch/qos/logback/classic/util/JNDIUtil.class`. If you do it manually, you would see mitigated report.

No. For simplicity, scanner shows only most significant vulnerability.

@JStevens1855 Scanner does mark log4j 2.16.0 as vulnerable. ``` cmd> java -jar logpresso-log4j2-scan-2.8.1.jar d:\tmp2\log4j-core-2.16.0.jar Logpresso CVE-2021-44228 Vulnerability Scanner 2.8.1 (2022-01-27) Scanning directory: d:\tmp2\log4j-core-2.16.0.jar [*] Found CVE-2021-45105 (log4j 2.x) vulnerability in...

@JStevens1855 > Yeah not sure why but rescanned with 2.8.1 and the file came back with "Log4j 2","N/A","[CVE-2021-44228](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q)","POTENTIALLY_VULNERABLE","","2022-02-01 10:39:40" Is this the behavior if it can't identify what the log4j...

@JStevens1855 Would you test v2.9.1 release? I added 55 MD5 hashes to resolve this issue. It accurately detect Log4j 2.x version without pom.properties file.

@JStevens1855 Would you send me that newrelic.jar file? you can change file extension to zip and upload here, or box.com sharing link.

@thl-cmk Oh, I missed hash for log4j 1.2.17 version. thank you!

@JStevens1855 Found newrelic.jar from https://download.newrelic.com/newrelic/java-agent/newrelic-agent/current/newrelic.jar and added md5 hash. Would you test v2.9.2 release?

@WWIJP Use `[?]` sign for identification. For example: `[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in d:\tmp2\log4j-1.2.11.jar, log4j N/A (mitigated)`