github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/examples/module/spring4shell/README.md (about) 1 # Spring4Shell module 2 3 This module provides a more in-depth investigation of Spring4Shell detection. 4 5 ## Set up 6 7 ``` 8 $ tinygo build -o spring4shell.wasm -scheduler=none -target=wasi --no-debug spring4shell.go 9 $ mkdir -p ~/.trivy/modules 10 $ cp spring4shell.wasm ~/.trivy/modules 11 ``` 12 13 It is also available in [GHCR][trivy-module-spring4shell]. 14 You can install it via `trivy module install`. 15 16 ```bash 17 $ trivy module install ghcr.io/devseccon/trivy-module-spring4shell 18 2022-06-13T15:32:21.972+0300 INFO Installing the module from ghcr.io/devseccon/trivy-module-spring4shell... 19 ``` 20 21 ## Run Trivy 22 23 ``` 24 $ trivy image spring-core-rce-jdk8:latest 25 2022-05-29T22:35:04.873+0300 INFO Loading spring4shell.wasm... 26 2022-05-29T22:35:05.348+0300 INFO Registering WASM module: spring4shell@v1 27 2022-05-29T22:35:07.124+0300 INFO Module spring4shell: analyzing /app/tomcat/RELEASE-NOTES... 28 2022-05-29T22:35:07.139+0300 INFO Module spring4shell: analyzing /app/jdk9/release... 29 2022-05-29T22:37:04.636+0300 INFO Module spring4shell: analyzing /app/jdk9/release... 30 ... 31 2022-05-29T22:37:08.917+0300 INFO Module spring4shell: Java Version: 8, Tomcat Version: 8.5.77 32 2022-05-29T22:37:08.917+0300 INFO Module spring4shell: change CVE-2022-22965 severity from CRITICAL to LOW 33 ``` 34 35 In the above example, the Java version is 8 which is not affected by CVE-2022-22965, so this module changes the severity from CRITICAL to LOW. 36 37 ## Note 38 This module is also used for testing in Trivy. 39 40 [trivy-module-spring4shell]: https://github.com/orgs/aquasecurity/packages/container/package/trivy-module-spring4shell