Automated detection of software vulnerabilities remains a critical challenge in software security. Log4j is an industrial-grade Java logging framework listed as one of the top 100 critical open source projects. On Dec. 10, 2021 a severe vulnerability Log4Shell was disclosed before being fully patched with Log4j2 version 2.17.0 on Dec. 18, 2021. However, to this day about 4.1 million, or 33 percent of all Log4j downloads in the last 7 days contain vulnerable packages. Many Log4Shell scanners have since been created to detect if a user's installed Log4j version is vulnerable. Current detection tools primarily focus on identifying the version of Log4j installed, leading to numerous false positives, as they do not check if the software scanned is really vulnerable to malicious actors. This research aims to develop an advanced Log4j scanning tool that can evaluate the real-world exploitability of the software, thereby reducing false positives. Our approach first identifies vulnerabilities and then provides targeted recommendations for mitigating these detected vulnerabilities, along with instant feedback to users. By leveraging GitHub Actions, our tool offers automated and continuous scanning capabilities, ensuring timely identification of vulnerabilities as code changes occur. This integration into existing development workflows enables real-time monitoring and quicker responses to potential threats. We demonstrate the effectiveness of our approach by evaluating 28 open-source software projects across different releases, achieving an accuracy rate of 91.4% from a sample of 140 scans. Our GitHub action implementation is available at the GitHub marketplace and can be accessed by anyone interested in improving their software security and for future studies. This tool provides a dependable way to detect and mitigate vulnerabilities in open-source projects.

翻译：软件漏洞的自动化检测仍然是软件安全领域的关键挑战。Log4j作为工业级Java日志框架，被列为百大关键开源项目之一。2021年12月10日，在Log4j2版本2.17.0于2021年12月18日完成全面修补之前，一个严重漏洞Log4Shell被公开披露。然而，截至今日，在过去7天的所有Log4j下载中，仍有约410万次（占比33%）下载包含易受攻击的软件包。此后，许多Log4Shell扫描器被开发出来，用于检测用户安装的Log4j版本是否易受攻击。当前的检测工具主要侧重于识别已安装的Log4j版本，这导致了大量误报，因为它们并未检查被扫描软件是否真正对恶意攻击者具有可利用性。本研究旨在开发一种先进的Log4j扫描工具，能够评估软件在真实环境中的可被利用性，从而减少误报。我们的方法首先识别漏洞，然后提供针对已检测漏洞的缓解建议，并向用户提供即时反馈。通过利用GitHub Actions，我们的工具提供了自动化且持续的扫描能力，确保在代码变更时能够及时识别漏洞。这种与现有开发工作流的集成实现了实时监控，并能对潜在威胁做出更快速的响应。我们通过对28个开源软件项目的不同发布版本进行评估，在140次扫描样本中实现了91.4%的准确率，从而证明了我们方法的有效性。我们的GitHub Action实现已在GitHub市场上架，任何有兴趣提升其软件安全性或进行未来研究的人员均可访问使用。该工具为检测和缓解开源项目中的漏洞提供了一种可靠的方法。