Log4j core 2.17.1 shows as vulnerable

[bdw429s]

If I download the latest Log4j core jar file from maven
https://repo1.maven.org/maven2/org/lucee/log4j-core/2.17.1/log4j-core-2.17.1.jar

and scan it, I get this message:

Analysing log4j-core-2.17.1.jar
CVE-2021-44228 found in class file D:\Downloads\log4j-core-2.17.1\org\apache\logging\log4j\core\util\NetUtils.class

Is the latest jar still vulnerable or is the scanner wrong? I'm using the latest Log4JDetector-0.7.2-jar-with-dependencies.jar to scan.

[anddann]

Thanks for the report looks like an issue similar to #8
We'll check it.

[anddann]

A first investigation shows that the fingerprint of the file NetUtils is the same as one in the vulnerable versions but version 2.17.1 is not vulnerable. So it is exactly the same issue as described in detail by @johspaeth in #8

[johspaeth]

Thanks for the investigation, @anddann. I've just created an PR to remove the class NetUtils from being marked vulnerable.

[anddann]

Fixed in pr #18