Output fixing / adjustment #78
Description
Current output for log4j 2.x findings without JndiLookup.class is: _POTENTIALLY_SAFE_ (Did you remove JndiLookup.class?)_ I think _POTENTIALLY_SAFE_ is not correct any longer because log4j 2.x without JndiLookup.class is only _POTENTIALLY_OKAY_, because with removing JndiLookup.class you cant mitigate any CVE found after 2.15 version.
Current (log4j-detector-2021.12.29.jar) output for findings regarding log4j-core-2.15.0.jar without JndiLookup.class:
_log4j-core-2.15.0.jar contains Log4J-2.x <= 2.0-beta8 _POTENTIALLY_SAFE_ (Did you remove JndiLookup.class?)_
So its not correct any longer (since log4j 2.16 has been released).
There is another issue, its not really good to use status _OKAY_ and another status named _POTENTIALLY_OKAY_ because these are two different status but you cant differ/extract (via regex) simply these two status.
For automatic evaluations it would be better to have two completely different status like:
_OKAY_ and _POTENTIALLYOKAY_ or _POTENTIALLY-OKAY_
We use log4j-detector engine with an ansible playbook (execution) => elasticsearch (result storage) => grafana (result visualization/reporting).
Thank you for providing such a professional scanner!