## log4shell true positive

This is a simple web project with a log4shell vulnerability. 
The project defines a simple `scabench.HelloWorldService` get service returning a plain text string `hello world`.
The service does not expect parameters, and if parameters are encountered, an error 
is logged. 

The vulnerable dependency is [org.apache.logging.log4j:log4j-core:2.14.1](, the vulnerability is [CVE-2021-44228]( 

### Demonstrating the Vulnerability using a Test 

This requires unix or macos. It is easy to port this project to windows. 

A unit test is provided to demonstrate the vulnerability. The test requires a ldap server providing vulnerable code, the respective executable is provided by the project, it is defined in a separate project []( based on [](
The test fixture will handle startup and shutdown of the ldap server.

The test will create a file `foo` based on a command encoded embedded in the code of the ldap server the log4j connects to
(`touch foo`). This server can be controlled by an attacker. 

To run the test build the project with `mvn test`.

### Demonstrating the Vulnerability running the Application

1. start the embedded web server: `mvn jetty:run`
2. start the included the ldap server: `java -jar dodgy-ldap-server.jar` (the vulnerable copde will download Java code from this server)
3. point the browser to `http://localhost:8080/`, this site contains a pre-populated form with a malicious payload `${jndi:ldap://}`
4. submit this form
5. this will create a file `foo` on the server

### Running Software Composition Analyses

There are several sh scripts to run different analyses, result resports can be found in `scan-results`.

### Generating the SBOM

The `pom.xml` has a plugin to generate a [SBOM]( in [CycloneDX]( format. 
To do this, run `mvn cyclonedx:makePackageBom`, the SBOM can be found in 
`target/` in `json` and `xml` format.