Forum Discussion
Apache Log4j Detection Optimizations Summary: While the...
That is our standard requirement but after customer feedback and consideration for the prevalence of Apache Log4j files, it was decided make an exception and to no longer require thorough tests. Additionally, customers were omitting thorough tests in subsequent scans which was causing the vulnerability to appear remediated in T.io and T.sc. Also, customers did not want other plugins that use thorough tests to be run.
We are considering re-introducing the thorough tests requirement in the future but not at this time.
Thanks for the response. Given the operational impact of the scanning the entire file system that others are mentioning, it seems like there is no way around impacting the system except for disabling the plugin completely which is not ideal. If I enable thorough checks, I expect increased scan time and resource usage. I don't expect that from a standard authenticated scan.
An earlier article mentioned that a scan without thorough checks would check running java processes for log4j and a scan with thorough checks would also scan the file system. I still think this is a good functional separation to have.
