如何确定导致 Google Play OpenSSL 警告的依赖项? [英] How to determine which dependency causes Google Play OpenSSL warning?
问题描述
我目前正在处理一个大型遗留项目并尝试修复 OpenSSL 漏洞问题,如 如何解决应用中的 OpenSSL 漏洞.
I'm currently working on a big legacy project and trying to fix the OpenSSL vulnerability issue as explained at How to address OpenSSL vulnerabilities in your apps.
问题是,有很多依赖项,有些是作为 Gradle 导入添加的开源(我更新了所有没有破坏兼容性的内容),有些是我工作的公司的合作伙伴和承包商提供的自定义/封闭源用于并作为 JAR 附加到项目.
The problem is, there are lot of dependencies, some are open source (I updated all that didn't break the compatibility) added as Gradle import, some are custom/closed source provided by partners and contractors of the company I work for and attached to the project as JARs.
有什么方法可以查明具有此漏洞的特定库吗?我使用了 Google Play 和 OpenSSL 警告消息 中提供的 bash 脚本,它指向一个本机依赖项(实际上是 .so 文件).是否有任何选项可以从那里查明实际依赖关系?
Is there any way to pinpoint specific library that has this vulnerability? I used the bash script provided at Google Play and OpenSSL warning message and it points to one native dependency (actually the .so file). Is there any option to pinpoint actual dependency from there?
推荐答案
是否有任何选项可以从那里查明实际依赖关系?
Is there any option to pinpoint actual dependency from there?
是的,但是您需要知道有问题的 OpenSSL 版本并且需要 grep.Windows find 不行.
Yes, but you need to know the offending OpenSSL version and you need grep. Windows find won't do.
首先,注意有问题的 OpenSSL 版本.为了便于论证,请说是由于 OpenSSL 1.0.1h.
First, take note of the offending OpenSSL version. For sake of argument, say its due to OpenSSL 1.0.1h.
接下来,收集您的依赖项及其顶级文件夹的列表.为了便于论证,说它的 $HOME/Desktop/aosp-app, $HOME/sdk-a、/usr/local/sdk-b 和 /opt/local/sdk-c.
Next, gather a list of your dependencies and their top level folders. For sake of argument, say its $HOME/Desktop/aosp-app, $HOME/sdk-a, /usr/local/sdk-b and /opt/local/sdk-c.
最后,对于顶级目录:
grep -R '1.0.1h' "$HOME/Desktop/aosp-app"
grep -R '1.0.1h' "$HOME/sdk-a"
grep -R '1.0.1h' /usr/local/sdk-b
grep -R '1.0.1h' /opt/local/sdk-c
你不需要grep -iR,这是一个不区分大小写的(-i)递归(-R) 搜索.您也不需要 grep -IR,它是一种递归 (-R) 搜索,可跳过二进制文件 (-I).
You don't need grep -iR, which is a case insensitive (-i) recursive (-R) search. You also don't need grep -IR, which is a recursive (-R) search that skips binary files (-I).
所有这些都有效,因为 OpenSSL 库将其版本作为字符串嵌入到数据部分中.最终,您将找到罪魁祸首,这可能是一个预先构建为共享对象但包含 OpenSSL 作为静态库的 SDK.一个 SDK 似乎经常被识别,它使用针对静态 OpenSSL 库构建的 cURL.
All of this works because OpenSSL library embeds its version in the data section as a string. Eventually, you will hit on the culprit, which is probably an SDK that comes pre-built as a shared object but includes OpenSSL as a static library. One SDK seems to be identified frequently, and it uses cURL which is built against a static OpenSSL library.
如果您有 JAR 文件并怀疑它们,那么您可以执行以下操作作为快速测试:
If you have JAR files and suspect them, then you can perform the following as a quick test:
find <dir> -name '*.jar' -exec grep -R '1.0.1h' {} ;
该命令将在目录 *.jar 扩展名的文件.当它找到一个时,它会运行 grep 来寻找字符串.find 会为它找到的每个 *.jar 做它.
The command will look in the directory <dir> and its subdirectories. It will search for files with the *.jar extension. When it finds one, it will run grep on it looking for the string. find will do it for every *.jar it finds.
这篇关于如何确定导致 Google Play OpenSSL 警告的依赖项?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
