lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
OTHER License
Bot releases are visible (Hide)
Initial release
The LunaTrace CLI can collect SBOMs of files, directories, containers, and remote repositories. Once collected, the SBOM can be reported to LunaTrace for automated scanning for vulnerabilities.
Published by breadchris over 2 years ago
- Publish linux ppc64le
Published by breadchris almost 3 years ago
This release adds the log4shell cloud-scan command. This command will automatically notify you about future vulnerabilities in your code by uploading a list of dependencies used by your project.
We're planning to build more functionality like an Open Source Web dashboard, and that will be released under the name "LunaTrace" soon. If you're interested in chatting with us about that, please send us a message. Feedback is incredibly helpful for us as we build this tooling!
Published by breadchris almost 3 years ago
Changelog
29f889c3 Adding blog post talking about new CVEs and security team response (#390)
57d35256 Blog post - Working backwards from log4shell to see why we built lunasec (#388)
8be8d652 Fix analytics by inserted into every HTML file
f2ce9576 Fixes #368 - jars larger than a gig are extracted to disk when scanning (#400)
d222fe12 Merge pull request #397 from lunasec-io/update-hype-title
973a6c41 Merge pull request #398 from lunasec-io/fix-analytics
32a4cec4 Merge pull request #399 from lunasec-io/fix-typos-jan
94e75aca Update Hype train post title
3b1e39dd bump version (#401)
432e4b34 fix typos
Published by breadchris almost 3 years ago
Changelog
0989db40 Dana incoming edits (#389)
0cbe2e6c Dana incoming edits two (#391)
fee19ab5 Dana incoming edits two (#392)
2f14ea9f Log4shell scan improvements (#393)
7ed6ad7b Update log4shell readme (#394)
683bbadf ignore all webpack generated stuff...weirdness
a154837e version bump (#395)
Published by breadchris almost 3 years ago
Changelog
451e1c44 Add ear file extension to Scan function
ac30e3de Edit of first blog post (#381)
5bd43d14 Merge branch 'master' into add-jar-patcher
74e545a8 Merge pull request #308 from lunasec-io/add-jar-patcher
569b46c6 Merge pull request #378 from lunasec-io/fix-file-not-closed
9891b136 Merge pull request #380 from NorthwaveCERT/patch-1
eda04aab Merge pull request #386 from lunasec-io/log4shell-blog-cli-command-update
74bb3cdd Severity 9.8 for log4j v1 vulns
02a9e736 Some scaffolding for a JAR patcher
6a3eb6c2 Speed up ci (#383)
bec65fd8 Swap from Severity to CVE
99aee5c5 Update vulnerablehashes.go
dd697d30 Update vulnerablehashes.go
24b9eaf6 added 2.15 hashes and confirmed they work
7e8c1463 begin to support nested zips when patching
4fd334e6 duplicate flags onto scan command because its more natural UX
50f3d2af first draft of adding severity rating to vulns
7d30321b generating hashes for the JndiLookup.class file to patch out
56c6375a include jndilookup.class file when analyzing so that it can be removed when patching
fbab2cfe jar patcher is able to remove JndiLookup.class file from jars
449f7004 nested patching works now
6e991905 patcher works on non-nested zips, but is truncating nested zips for some reason
258281ca testing the jar patcher by loading findings file and then looking at discovered files
bcf95cc3 update info about cli
e867b7ba update wording in blog to be more clear that the cli is not an archive
Published by breadchris almost 3 years ago
Changelog
423c567e Merge pull request #366 from tlehman/patch-1
d6a8fa40 Merge pull request #367 from lunasec-io/update-guidance-to-include-2.17.0
62dc0e95 Merge pull request #375 from lunasec-io/osx-log4shell
7a160ba2 Merge pull request #376 from lunasec-io/fix-malicious-links
a414f0ad Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx
472e23ee Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx
b02cd4fc Update guidance across all posts
15c5823e Update the malicious links to be our domain everywhere
a33566d5 WIP OSS patching blog post (#348)
780dd9f3 better osx instructions
71adc6a5 close read which is left open
90f18589 typo 'and' should be 'an'
c3871569 update guidance to use 2.17.0
Published by breadchris almost 3 years ago
Changelog
Fixes #351
0f47f256 Add bypass payload to post
4c832fb3 Fix bad date
9f908c86 Fix bug in the new CVSS post
600fc1bc Merge pull request #352 from lunasec-io/follow-post-to-CVE-2021-45046
57196831 Merge pull request #353 from lunasec-io/fix-bug-in-post
dce51d52 Merge pull request #354 from lunasec-io/fix-bug-in-post
5d3a3417 Merge pull request #355 from lunasec-io/fix-bug-in-post
0cbce8c9 Merge pull request #356 from lunasec-io/fix-bug-in-post
998c69de Merge pull request #360 from lunasec-io/do-not-open-non-existant-files-from-symlinks
8f796fde One more change
c2f9bd7b Update issue templates
a89ce9b9 add details about the latest updates about the log4shell cves
fc20cbdc broken symlinks no longer stop scanning
67f8a2fa bump version
da858efd create blog post discussing follow up issues for cve
b5e245b0 update date
Published by breadchris almost 3 years ago
Changelog
ee2c1633 Add FUNDING.yml file for GitHub Sponsors
7a305f71 Add links back to other posts
bdeb637a Add links to other blog posts and update phrasing
b4751d10 Merge branch 'bump-log4shell-cli-version' of github.com:lunasec-io/lunasec into bump-log4shell-cli-version
4372467c Merge branch 'bump-log4shell-cli-version' of github.com:lunasec-io/lunasec into bump-log4shell-cli-version
cfe2c1bd Merge branch 'master' into improve-scanner-reliability
33bbf9cf Merge pull request #330 from lunasec-io/improve-scanner-reliability
fb5deb36 Merge pull request #334 from acollign/feature/add-exts
712a040b Merge pull request #342 from lunasec-io/bump-log4shell-cli-version
8150184b Merge pull request #345 from lunasec-io/add-link-to-new-posts
3f604c23 Merge pull request #347 from lunasec-io/add-funding-file
ecbcc801 Merge pull request #350 from lunasec-io/increase-severity-of-cve-2021-45046
8c466e35 Update README.md
b654be54 add --no-follow-symlinks
be2b698a add manual releasing instructions
2ce1498e add zip and ear extensions to allow deep scans
2dd83919 analyzer has better semver version checking
c273bcb0 bump cli version to 1.3.2
bca90187 fix false positive for 2.16.0 and 2.15.0
ccd10e67 global flags are recognized by the cli if they have a name collision in a subcommand
7ebe74f4 improve log colors
36673ca8 increase severity of cve-2021-45046 finding
427e4915 resolve symlinks while scanning
1c98ea08 slightly better log level printing
5b506a12 switch all logs to stdout and prettier formatting for scan results
43f6987f update CTA size
c6affa5d version change is more than a patch, version should reflect this
70d405f3 warning about virus scanners in blog post
Published by breadchris almost 3 years ago
Changelog
a499653f bump version
21805547 include 1.2.17 in scanning log4j1
Published by breadchris almost 3 years ago
Changelog
This release fixes some issues that were raised about false positives with Log4j 2.15.0. This cli tool is also tested on both apache libraries and maven libraries since their hashes were observered to be different in some cases.
ab5abab2 Basic technical analysis of the Log4Shell exploit
99d89964 Better phrasing
5aadc823 Blog post updates
9a159fde CLI UX improvements and more legalish warnings
861c385c Fix bad image links by using MDX syntax instead
13cd33f2 Fix formatting
4395867e Fix image link for bad image also
d74964cc Fix image links to be persistent
a60fddcb Fix some typos
a582d5cf Merge branch 'hotpatch-improvements' of github.com:lunasec-io/lunasec into hotpatch-improvements
6e4314a3 Merge branch 'master' into improve-scanner-reliability
53d0b1cf Merge pull request #311 from lunasec-io/hotpatch-improvements
64254cd3 Merge pull request #312 from lunasec-io/update-patch-section
c7043c69 Merge pull request #313 from lunasec-io/fix-bad-image-links
e74319fe Merge pull request #319 from natrem/detect-elastic-apm
6b8618e2 Merge pull request #322 from lunasec-io/fix-post-warning
4126b0ba Merge pull request #329 from dhoizner/feat/scan-zip-archives
9e917022 Merge pull request #331 from lunasec-io/fix-typo-in-property-name
cf602124 Merge pull request #333 from lunasec-io/log4j-exploit-analysis-blog-post
bb8d2533 Tweaks
9f248924 Update Patch section with new notes
254ade8d Update timestamps
fbf14b10 Wordsmithing
195cbc4b add payload url to the print out in the cli
65dbfe89 bump version
400c6e37 feat: scan into zip archives in addition to jar+war
34c76115 fix typo
0e27f16e log4shell and 2.15.0 cves are distinct in findings now
1f0f3bfc pull all maven and apache versions of log4j
fc357889 scan library before browsing it
ea2f1afb script for downloading all log4j versions
4a3d9220 update blog post to fix changes suggested in issues
79aab2e7 update blog to include java decomp
f42427a7 use webarchive to reference zero day tweet
Published by breadchris almost 3 years ago
Changelog
898e19dd Change links to the generic Releases page
ee9655eb Merge branch 'master' into hotpatch-improvements
58e1478e Merge pull request #309 from lunasec-io/blog-includes-hot-patch-cli
f92099d5 Merge pull request #310 from lunasec-io/cli-ux
2132b5a1 Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx
579472e0 add docker-compose and update readme with some commands
f1945c30 add live patch blog post
02f39cfd added more options to the hotpatch server and added a landing page
cc2b9157 blog mentions hot patch cli
4856a510 bump version of log4shell cli
3cf46599 change dependency to not panic
c6a4f579 update blog posts
6187edd1 update hotpatch server to have more descriptive text
Published by factoidforrest almost 3 years ago
Changelog
scan now pretty prints results by default
Published by breadchris almost 3 years ago
Changelog
Added hotpatch command which attempts to use the bug against itself to patch the vulnerability in a running server.
Added severity levels to different log4j versions detected by scan, and included 2.15.0 in vulnerable versions.
dfa5cb59 Add CVE number back to first line of text for SEO
f0478fad Add log4j to first sentence
f4ef8a1f Add log4shell CLI tool
3df90893 Add option to write outputs to a file.
007212a7 Add social links and update main Readme
6849b468 Adding command for running log4shell hotpatch server. The command brings up the servers, but they currently do not work.
2ebe83b3 Bump version
86d0fb52 Change version to beta
dd21d161 Content reworking
d0202768 Enabled options for printing out json for parsing results.
6e88ba6d Fix Master CI
7fa24c42 Fix bad link in blog post
209e3ad5 Fix bad path
1d79ccef Fix entrypoint for package
28f4278b Fix grammar in mitigation guide
18ff24a2 Fix renamed directory
457d281c Fix script to work with both a specific path or in the current folder
94ce327f Fix typo
aca37df6 Hotpatching works when being tested locally again vulnerable spring server.
a7384c0d Merge branch 'add-log4shell-cli' of github.com:lunasec-io/lunasec into add-log4shell-cli
86dc3970 Merge branch 'master' into add-log4shell-cli
b89fed58 Merge branch 'master' into log4shell-vuln-finder
b7f58e4c Merge pull request #283 from lunasec-io/add-log4shell-cli
ad7840c5 Merge pull request #285 from lunasec-io/log4shell-vuln-finder
f5e6a3e9 Merge pull request #286 from lunasec-io/fix-ci-on-master
66cacc51 Merge pull request #288 from lunasec-io/update-mitigation-guide
9a1c3c81 Merge pull request #289 from lunasec-io/fix-bad-link-in-post
78e9ac56 Merge pull request #290 from slovdahl/patch-1
a3e5bfc6 Merge pull request #293 from lunasec-io/dec13-blog-edits
de48c4d4 Merge pull request #294 from lunasec-io/add-social-links-to-mitigation-guide
8eb17dba Merge pull request #296 from lunasec-io/log4shell-vuln-finder
5252c628 Merge pull request #297 from lunasec-io/mitigation-edits-forrest
708a471c Merge pull request #302 from natrem/patch-1
5fb29d04 Merge pull request #303 from lunasec-io/no-lookups-no-worky
2307b8d4 Merge remote-tracking branch 'origin/master' into mitigation-edits-forrest
9a9a79a1 Mitigation edits forrest (#295)
8b896f13 More post cleanup
7831485c More post cleanup
4eac2041 Remove thank you line
2279eb66 Scanner finds 2.15 (#305)
91d70d86 Update 2021-12-09-log4j-zero-day.md
90a4e6ec Update 2021-12-09-log4j-zero-day.md
d81ffb42 WIP blog post
c59a38a4 Wrap up the Log4Shell Mitigation Guide doc
312a99d5 Write up the rest of the blog post
85060ce2 add contact form, what a doozy
471f56b6 add warnings about 2.15 and flag
cea63e88 also find war files
a1a365cd better warning
ab10a9f5 big mitigation edits
c76f49b3 blog edits to header example
b6b2dcd6 few tiny edits
04317974 fix english (#304)
817388a5 fix package mistake
d59ad407 fix typo and add CVE name
1c0c95b6 log4shell scanning cli initial commit
54acae91 make hash downloading automatic even if not using NPM
a9145cfb mention log4j 2.16
a2d76373 merge master
7c828870 more CVE mentions
b6a70040 move log4shell to tools
e0f97969 remove bad dep and eslint ignore something
a717e205 small edits linking two blog posts together and other nits
56fe9946 update Log4ShellHotpatch
cddae2ce update binary name to log4shell
a9199b77 when scanning archives, scan nested ones
Published by breadchris almost 3 years ago
Changelog
Initial release of the log4shell cli. These changes include functionality for searching directories for files which have a matching hash to known vulnerable log4j dependencies.