Hacker News new | past | comments | ask | show | jobs | submit login

The essence is: https://github.com/google/log4jscanner/blob/main/jar/jar.go

this is the decision logic:

func (c *checker) bad() bool {

return (c.hasLookupClass && c.hasOldJndiManagerConstructor) || (c.hasLookupClass && c.seenJndiManagerClass && !c.isAtLeastTwoDotSixteen)

}




It is a lot of code for just that.


I’d argue that the convenience of this tool isn’t just the fact that it can tell a class/jar is “bad”, but the convenience of being able to automatically scan the filesystem to do that.

And most of the code I see is about walking the filesystem, unzipping jars, walking the files inside the jars.

Most codebases have this kind of plumbing all the time.


the story of browsing through code: "I'm wasting my time reading this", until you read the 3 lines that actually matter.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: