如何 grep 或搜索 OpenSSL 的 .jar 文件? [英] How to grep or search .jar files for OpenSSL?

问题描述

我有一个使用一些 .jar 文件(库)的 Android 应用.我的应用因 OpenSSL 漏洞而被拒绝，但找不到包含 OpenSSL 的 .jar 文件.

I have an Android app that is using some .jar file (libraries). My app is being rejected for OpenSSL vulnerabilities, but can't find the .jar file that contains OpenSSL.

如何在我的 MAC 上搜索 Openssl 的 .jar 文件?

How do I search the .jar files for Openssl on my MAC?

grep Openssl.class /Users/joon/work/androidApp/*.jar

更新===

这是我的依赖项和罐子.当我运行下面提到的 grep 命令时，它并没有告诉我哪个 jar 是问题，只是我有一个旧版本的 OpenSSL.此外，下面的一些 jars，比如 Bouncy Castle，无论它们是否有 OpenSSL，自 2013 年以来就没有更新，这是在 OpenSSL 安全修复之前.我们尝试一个一个地删除每个 jar，然后重新编译 + 清理(注释掉代码以便编译)，但它仍然说旧的 OpenSSL 正在使用中.谁能指出下面的罪魁祸首?

Here are my dependencies and Jars. When I run the grep command mentioned below it doesn't tell me which jar is the issue just that I have an old version of the OpenSSL. Further, some of the jars below, like Bouncy Castle, whether they have OpenSSL or not, have not been updated since 2013, which is before the OpenSSL security fix. We tried removing each of the jars, one by one, and recompiling + cleaning (commenting out the code so it would compile), but it still says the old OpenSSL is in use. Can anyone point to the culprit below?

JARS:
httpmime-4.1.3.jar
libGoogleAnalyticsServices.jar
opentok-android-sdk-2.3.1.jar
sc-light-jdk15on-1.47.0.2.jar
scpkix-jdk15on-1.47.0.2.jar
scprov-jdk15on-1.47.0.2.jar
socketio.jar


dependencies {
    compile fileTree(dir: 'libs', include: ['*.jar'])
    compile 'com.android.support:appcompat-v7:21.+'
    compile 'com.google.android.gms:play-services-maps:6.5.+'
    compile 'com.crashlytics.android:crashlytics:1.+'
}

推荐答案

如何在我的 MAC 上搜索 Openssl 的 .jar 文件?

How do I search the .jar files for Openssl on my MAC?

您可以使用以下脚本检查 JAR 文件:

You can check the JAR files with the following script:

#!/usr/bin/env bash

JAR_FILES=("httpmime-4.1.3.jar"
           "libGoogleAnalyticsServices.jar"
           "opentok-android-sdk-2.3.1.jar"
           "sc-light-jdk15on-1.47.0.2.jar"
           "scpkix-jdk15on-1.47.0.2.jar"
           "scprov-jdk15on-1.47.0.2.jar"
           "socketio.jar")

for jar_file in "${JAR_FILES[@]}"
do
    echo "************ $jar_file ************"
    grep '1.0.1h' "$jar_file"
done

您应该将字符串 '1.0.1h' 替换为向您报告的易受攻击的 OpenSSL 版本.请务必保留单引号，因为句点是 1.0.1h 中的文字.

You should replace the string '1.0.1h' with the vulnerable OpenSSL version being reported to you. Be sure to retain the single quote because the period is a literal in 1.0.1h.

另一种方法是:

find /Users/joon/work/androidApp/ -name '*.jar' -exec grep 'Openssl.class' {} ;

或者:

find /Users/joon/work/androidApp/ -name '*.jar' -exec grep '1.0.1h' {} ;

<小时>

在 OS X 上，这也很有帮助:

---

On OS X, this is helpful too:

find "$HOME" -name '.DS_Store' -exec rm -f {} ;

它会删除那些在每个目录中创建并随后添加到 ZIP 文件等存档中的 .DS_Store 文件.

It removes those .DS_Store files that get created in every directory and subsequently added to archives like ZIP files.

这篇关于如何 grep 或搜索 OpenSSL 的 .jar 文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！