We are using logpresso scanner and it seems to be flagging a lot more files with potential vulnerability after log4j 1.x was added to the CVEs.
log4j-finder is however skipping those files entirely and not flagging anything.
I am curious as to which one is reliable and why is it that log4j-finder thinks that this one is not potentially vulnerable.
Attaching a file for reference
log4j.jar.zip
.
We are using logpresso scanner and it seems to be flagging a lot more files with potential vulnerability after log4j 1.x was added to the CVEs.
log4j-finder is however skipping those files entirely and not flagging anything.
I am curious as to which one is reliable and why is it that log4j-finder thinks that this one is not potentially vulnerable.
Attaching a file for reference
log4j.jar.zip
.