twigs allows for plugins to further enhance and extend its capabilities. These plugins allow for additional checks to be easily included in twigs. For example checks to detect specific vulnerabilities and report any observations as vulnerability impacts. twigs will allow for custom plugins to be developed in the future and this will enable users to write their own specific custom checks.
List of supported plugins in twigs for vulnerability checks:
- CVE-2022-22965 (Spring4Shell) – Spring Framework RCE via Data Binding on JDK 9+
- CVE-2021-45105 (log4j) – Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
- CVE-2021-45046 (log4j) – Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
- CVE-2021-44832 (log4j) – Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
- CVE-2021-44228 (log4j) – Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.