Added --throttle option for cpu usage control. v2.8.1

README.md

@@ -3,16 +3,16 @@
 log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-44832 (log4j 2.17.0), CVE-2021-4104, CVE-2019-17571, CVE-2017-5645, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.
 
 ### Download
-* [log4j2-scan 2.8.0 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.0/logpresso-log4j2-scan-2.8.0-win64.7z)
-* [log4j2-scan 2.8.0 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.0/logpresso-log4j2-scan-2.8.0-win64.zip)
+* [log4j2-scan 2.8.1 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.1/logpresso-log4j2-scan-2.8.1-win64.7z)
+* [log4j2-scan 2.8.1 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.1/logpresso-log4j2-scan-2.8.1-win64.zip)
   * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.  
   * 7zip is available from www.7zip.org, and is open source and free.
-* [log4j2-scan 2.8.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.0/logpresso-log4j2-scan-2.8.0-linux.tar.gz)
-* [log4j2-scan 2.8.0 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.0/logpresso-log4j2-scan-2.8.0-linux-aarch64.tar.gz)
+* [log4j2-scan 2.8.1 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.1/logpresso-log4j2-scan-2.8.1-linux.tar.gz)
+* [log4j2-scan 2.8.1 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.1/logpresso-log4j2-scan-2.8.1-linux-aarch64.tar.gz)
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 2.8.0 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.0/logpresso-log4j2-scan-2.8.0-darwin.zip)
-* [log4j2-scan 2.8.0 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.0/logpresso-log4j2-scan-2.8.0.jar)
+* [log4j2-scan 2.8.1 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.1/logpresso-log4j2-scan-2.8.1-darwin.zip)
+* [log4j2-scan 2.8.1 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.1/logpresso-log4j2-scan-2.8.1.jar)
 
 ### Build
 * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
@@ -39,7 +39,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress
 
 Usage
 ```
-Logpresso CVE-2021-44228 Vulnerability Scanner 2.8.0 (2022-01-27)
+Logpresso CVE-2021-44228 Vulnerability Scanner 2.8.1 (2022-01-27)
 Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
 
 -f [config_file_path]
@@ -117,7 +117,9 @@ Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
 --trace
         Print all directories and files while scanning.
 --silent
-        Do not print anything until scan is completed.
+        Do not print progress message.
+--throttle
+        Limit scan files per second.
 --help
         Print this help.
 ```
@@ -132,7 +134,7 @@ On Linux
 ```
 On UNIX (AIX, Solaris, and so on)
 ```
-java -jar logpresso-log4j2-scan-2.8.0.jar [--fix] target_path
+java -jar logpresso-log4j2-scan-2.8.1.jar [--fix] target_path
 ```
 
 If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. All .bak files are archived into the single zip file which is named by `log4j2_scan_backup_yyyyMMdd_HHmmss.zip`, then deleted safely. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. You can easily restore original vulnerable JAR files using `--restore` option.

pom.xml

@@ -6,7 +6,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.logpresso</groupId>
 	<artifactId>log4j2-scanner</artifactId>
-	<version>2.8.0</version>
+	<version>2.8.1</version>
 	<packaging>jar</packaging>
 	<name>Logpresso Log4j2 Scanner</name>
 

src/main/java/com/logpresso/scanner/Configuration.java

@@ -49,6 +49,7 @@ public class Configuration {
 	// default syslog facility is LOCAL0
 	private int syslogFacility = 16;
 
+	private int throttle = 0;
 	private String includeFilePath = null;
 	private Set<File> driveLetters = new TreeSet<File>();
 	private List<String> excludePathPrefixes = new ArrayList<String>();
@@ -145,7 +146,9 @@ public static void pringUsage() {
 		System.out.println("--trace");
 		System.out.println("\tPrint all directories and files while scanning.");
 		System.out.println("--silent");
-		System.out.println("\tDo not print anything until scan is completed.");
+		System.out.println("\tDo not print progress message.");
+		System.out.println("--throttle");
+		System.out.println("\tLimit scan files per second.");
 		System.out.println("--help");
 		System.out.println("\tPrint this help.");
 	}
@@ -358,6 +361,10 @@ else if (!reportFile.isDirectory())
 				i++;
 			} else if (args[i].equals("--old-exit-code")) {
 				c.oldExitCode = true;
+			} else if (args[i].equals("--throttle")) {
+				verifyArgument(args, i, "throttle", "Specify throttle number.");
+				c.throttle = Integer.parseInt(args[i + 1]);
+				i++;
 			} else {
 				if (args[i].startsWith("-"))
 					throw new IllegalArgumentException("Unknown option: " + args[i]);
@@ -690,4 +697,8 @@ public Set<String> getExcludeFilePaths() {
 	public Set<String> getExcludeFileSystems() {
 		return excludeFileSystems;
 	}
+
+	public int getThrottle() {
+		return throttle;
+	}
 }

src/main/java/com/logpresso/scanner/Log4j2Scanner.java

@@ -56,7 +56,7 @@ public int run(String[] args) throws Exception {
 		}
 
 		config = Configuration.parseArguments(args);
-		metrics = new Metrics();
+		metrics = new Metrics(config.getThrottle());
 
 		if (config.isFix() && !config.isForce()) {
 			try {
@@ -362,7 +362,6 @@ private void fix() {
 				FileUtils.truncate(f);
 				truncateError = false;
 
-				Set<String> removeTargets = detector.getVulnerableEntries();
 				Set<String> shadePatterns = detector.getShadePatterns();
 
 				try {

src/main/java/com/logpresso/scanner/Metrics.java

@@ -15,6 +15,16 @@ public class Metrics {
 	private int fixedFileCount = 0;
 	private int errorCount = 0;
 
+	// speed control
+	private int throttle;
+	private int fileCounter;
+	private long lastResetTime;
+
+	public Metrics(int throttle) {
+		this.throttle = throttle;
+		this.lastResetTime = System.currentTimeMillis();
+	}
+
 	public boolean canStatusReporting() {
 		// check scan file count to reduce system call overhead
 		return scanFileCount - lastStatusLoggingCount >= 1000 && System.currentTimeMillis() - lastStatusLoggingTime >= 10000;
@@ -63,6 +73,28 @@ public int getErrorCount() {
 
 	public void addScanFileCount() {
 		scanFileCount++;
+		fileCounter++;
+
+		if (throttle == 0)
+			return;
+
+		if (throttle <= fileCounter) {
+			while (true) {
+				long elapsed = System.currentTimeMillis() - lastResetTime;
+				if (elapsed >= 1000) {
+					break;
+				}
+
+				try {
+					Thread.sleep(100);
+				} catch (InterruptedException e) {
+				}
+			}
+
+			lastResetTime = System.currentTimeMillis();
+			fileCounter = 0;
+		}
+
 	}
 
 	public void addScanDirCount() {