Skip to content

Instantly share code, notes, and snippets.

@akhil-reni
Last active December 12, 2021 11:19
Show Gist options
  • Save akhil-reni/571f64aa63b376bf88a04d8cb5e293e4 to your computer and use it in GitHub Desktop.
Save akhil-reni/571f64aa63b376bf88a04d8cb5e293e4 to your computer and use it in GitHub Desktop.
Parse MVN dependency for Log4j2
from xml.etree import ElementTree
import re
from packaging import version
pattern = "\{(.*?)\}"
def stripNs(el):
if el.tag.startswith("{"):
el.tag = el.tag.split('}', 1)[1] # strip namespace
for k in el.attrib.keys():
if k.startswith("{"):
k2 = k.split('}', 1)[1]
el.attrib[k2] = el.attrib[k]
del el.attrib[k]
for child in el:
stripNs(child)
return el
def parse_pom(pom_file_path="./sample-pom.xml"):
POM_FILE = pom_file_path
namespaces = {'xmlns': 'http://maven.apache.org/POM/4.0.0'}
tree = ElementTree.parse(POM_FILE)
root = tree.getroot()
properties = root.find(".//xmlns:properties", namespaces=namespaces)
_properties_dict = {}
if properties:
for property in properties.getchildren():
_properties_dict[stripNs(property).tag] = property.text
print(_properties_dict)
deps = root.findall(".//xmlns:dependency", namespaces=namespaces)
_deps_dict = {}
for d in deps:
_dep_version = d.find("xmlns:version", namespaces=namespaces).text
if _dep_version.startswith("${"):
substring = re.search(pattern, _dep_version).group(1)
if substring in _properties_dict:
_deps_dict[d.find(
"xmlns:artifactId", namespaces=namespaces).text] = _properties_dict[substring]
else:
_deps_dict[d.find("xmlns:artifactId",
namespaces=namespaces).text] = None
else:
_deps_dict[d.find("xmlns:artifactId", namespaces=namespaces).text] = d.find(
"xmlns:version", namespaces=namespaces).text
return _deps_dict
def scan():
deps = parse_pom()
if "log4j" in deps:
if version.parse(deps["log4j"]) >= version.parse('2.0.0-beta9') or version.parse(deps["log4j"]) <= version.parse('2.14.1'):
print("Vulnerable")
return True
if "log4j-api" in deps:
if version.parse(deps["log4j-api"]) >= version.parse('2.0.0-beta9') or version.parse(deps["log4j-api"]) <= version.parse('2.14.1'):
print("Vulnerable")
return True
if "log4j-core" in deps:
if version.parse(deps["log4j-core"]) >= version.parse('2.0.0-beta9') or version.parse(deps["log4j-core"]) <= version.parse('2.14.1'):
print("Vulnerable")
return True
if "log4j-slf4j-impl" in deps:
if version.parse(deps["log4j-slf4j-impl"]) >= version.parse('2.0.0-beta9') or version.parse(deps["log4j-slf4j-impl"]) <= version.parse('2.14.1'):
print("Vulnerable")
return True
print(scan())
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment