Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.6k views
in Technique[技术] by (71.8m points)

macos - How to grep or search .jar files for OpenSSL?

I have an Android app that is using some .jar file (libraries). My app is being rejected for OpenSSL vulnerabilities, but can't find the .jar file that contains OpenSSL.

How do I search the .jar files for Openssl on my MAC?

grep Openssl.class /Users/joon/work/androidApp/*.jar

UPDATE===

Here are my dependencies and Jars. When I run the grep command mentioned below it doesn't tell me which jar is the issue just that I have an old version of the OpenSSL. Further, some of the jars below, like Bouncy Castle, whether they have OpenSSL or not, have not been updated since 2013, which is before the OpenSSL security fix. We tried removing each of the jars, one by one, and recompiling + cleaning (commenting out the code so it would compile), but it still says the old OpenSSL is in use. Can anyone point to the culprit below?

JARS:
httpmime-4.1.3.jar
libGoogleAnalyticsServices.jar
opentok-android-sdk-2.3.1.jar
sc-light-jdk15on-1.47.0.2.jar
scpkix-jdk15on-1.47.0.2.jar
scprov-jdk15on-1.47.0.2.jar
socketio.jar


dependencies {
    compile fileTree(dir: 'libs', include: ['*.jar'])
    compile 'com.android.support:appcompat-v7:21.+'
    compile 'com.google.android.gms:play-services-maps:6.5.+'
    compile 'com.crashlytics.android:crashlytics:1.+'
}
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

How do I search the .jar files for Openssl on my MAC?

You can check the JAR files with the following script:

#!/usr/bin/env bash

JAR_FILES=("httpmime-4.1.3.jar"
           "libGoogleAnalyticsServices.jar"
           "opentok-android-sdk-2.3.1.jar"
           "sc-light-jdk15on-1.47.0.2.jar"
           "scpkix-jdk15on-1.47.0.2.jar"
           "scprov-jdk15on-1.47.0.2.jar"
           "socketio.jar")

for jar_file in "${JAR_FILES[@]}"
do
    echo "************ $jar_file ************"
    grep '1.0.1h' "$jar_file"
done

You should replace the string '1.0.1h' with the vulnerable OpenSSL version being reported to you. Be sure to retain the single quote because the period is a literal in 1.0.1h.


Another way to do it is:

find /Users/joon/work/androidApp/ -name '*.jar' -exec grep 'Openssl.class' {} ;

Or:

find /Users/joon/work/androidApp/ -name '*.jar' -exec grep '1.0.1h' {} ;

On OS X, this is helpful too:

find "$HOME" -name '.DS_Store' -exec rm -f {} ;

It removes those .DS_Store files that get created in every directory and subsequently added to archives like ZIP files.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...