8000 java archives (JAR) are not supported to detect current version in · Issue #20 · sjvermeu/cvechecker · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

java archives (JAR) are not supported to detect current version in #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
keyolk opened this issue Aug 31, 2016 · 3 comments
Open

java archives (JAR) are not supported to detect current version in #20

keyolk opened this issue Aug 31, 2016 · 3 comments

Comments

@keyolk
Copy link
keyolk commented Aug 31, 2016

Hi
I'm trying to use this project to check my docker image
when I try to check elasticsearch-1.4.2 which known has "CVE-2015-1427"
It doesnt put any of result on it.

below is what I done

# cvechecker -V
cvechecker 3.6
# cvechecker -D -f ./elasticsearch-1.4.2.jar
# cvechecker -d -f ./elasticsearch-1.4.2.jar
# cvechecker -r

Could anyone inform me why it cant check the CVE ?
@sjvermeu
Copy link
Owner

Hi keyolk

Indeed, cvechecker does not have an expression for elasticsearch yet. I'll generate one and update the database after I've validated that it matches.

@keyolk
Copy link
Author
keyolk commented Sep 1, 2016
edited
Loading

Thanks you : )
Could you inform me how an expression is generated on each CVE ?
And is there a way to check which of CVEs are not covered by this project yet ?

@keyolk keyolk mentioned this issue Sep 7, 2016
Open
@sjvermeu
Copy link
Owner

I haven't forgotten this one. Sadly, the method for obtaining versions isn't working on a .jar file. I'll need to implement a method for extracting files from .jar files first (similar to jar xvf ...) and then focus on the resulting files (assuming version information is available inside of it). I thought of using org/elasticsearch/Version.class but there's no clear identification from it (without different parsing methods).

So still searching. You gave me a nice challenge ;-)

@sjvermeu sjvermeu changed the title Failed to check CVE of elasticsearch java archives (JAR) are not supported to detect current version in Jun 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sjvermeu @keyolk
0