WhiteSource spring4shell Detect is a free CLI tool that quickly scans your projects to find vulnerable Spring4shell versions containing the following known CVEs:
- CVE-2022-22965
It provides the exact path to direct and indirect dependencies, along with the fixed version for speedy remediation.
The supported packages managers are:
- gradle
- maven
- bundler
In addition, the tool will search for vulnerable files with the .jar,.gem extensions.
- Download the spring4shell-detect binary based on your OS platform (see installation steps below)
NOTE
-
For mac users, if the following message appears: "spring4shell-detect can't be opened because Apple cannot check it for malicious software", please follow the steps described here
-
The relevant binaries must be installed for the scan to work, i.e:
gradleif the scanned project is a gradle project (contains asettings.gradleor abuild.gradlefile)mvnif the scanned project is a maven project (contains apom.xmlfile)ruby/jrubyandgem/jgemif the scanned project is a bundler project (contains aGemfile.lock/gems.lockedfile)
-
Building the projects before scanning will improve scan time and reduce potential scan errors
-
maven projects must be built prior to scanning, e.g. with the following command:
mvn install
-
bundler projects must be built prior to scanning, e.g. with the following command:
jbundler install
-
It is not necessary to run
gradle buildprior to scanning agradleproject, but that will greatly decrease the scan time
-
In order to scan your project, simply run the following command:
spring4shell-detect scan -d PROJECT_DIRThe folder can include source code that uses supported package managers in the project, as well binaries with the supported extensions mentioned above. It may error if it's run in a location which has protected folders it cannot access, such as Windows system folders.
ARCH=amd64 # or ARCH=arm64
wget "https://github.com/whitesource/spring4shell-detect/releases/latest/download/spring4shell-detect-1.0.0-linux-$ARCH.tar.gz"
tar -xzvf spring4shell-detect-1.0.0-linux-$ARCH.tar.gz
chmod +x spring4shell-detect
./spring4shell-detect -hARCH=amd64 # or ARCH=arm64
wget "https://github.com/whitesource/spring4shell-detect/releases/latest/download/spring4shell-detect-1.0.0-darwin-$ARCH.tar.gz"
tar -xzvf spring4shell-detect-1.0.0-darwin-$ARCH.tar.gz
chmod +x spring4shell-detect
./spring4shell-detect -hInvoke-WebRequest -Uri "https://github.com/whitesource/spring4shell-detect/releases/latest/download/spring4shell-detect-1.0.0-windows-amd64.zip" -OutFile "spring4shell-detect.zip"
Expand-Archive -LiteralPath 'spring4shell-detect.zip'
cd spring4shell-detect
.\spring4shell-detect.exe -h