From 0893bef9711f76cc8e6a34d7c4a66d6a78775de9 Mon Sep 17 00:00:00 2001
From: Hilko Bengen <bengen@hilluzination.de>
Date: Sun, 12 Dec 2021 22:22:47 +0100
Subject: [PATCH] Clarify recursive scanning

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index b1dcd7c..de2bd21 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,9 @@ This is a simple tool that can be used to find vulnerable instances of
 log4j 1.x and 2.x (CVE-2019-17571, CVE-2021-44228) in installations of
 Java software such as web applications. JAR and WAR archives are
 inspected and class files that are known to be vulnerable are flagged.
+The scan happens recursively: WAR files containing WAR files
+containing JAR files containing vulnerable class files ought to be
+flagged properly.
 
 This tool currently checks for known build artifacts that have been
 obtained through Maven. From-source rebuilds as they are done for