where we need to add this command and what will be the expected output for this command.

bherbst / OpenSSL-Checker

A Gradle plugin for checking whether an .apk or an .aar contains OpenSSL versions with known vulnerabilities

Apache License 2.0

11 stars 1 forks source link

where we need to add this command and what will be the expected output for this command. #7

Open dilipbirajadar opened 5 years ago

dilipbirajadar commented 5 years ago

Then run ./gradlew check[variantName]OpenSSL. For example, ./gradlew checkDebugOpenSsl. This task will fail if a vulnerable version is found.

I have tried below command also. MacBook-Pro:Desktop dilipbirajadar$ unzip -p FNMA_Debug.apk | strings | grep "OpenSSL"

getting below output for me is this correct Do i need to update openssl. But haven't add any openss in my android code.

GMSCore_OpenSSL GmsCore_OpenSSL

bherbst commented 5 years ago

If the build fails, you have a bad OpenSSL version in your app. You should see a message like this if that is the case:

:app:checkDebugOpenSsl FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':app:checkDebugOpenSSL'.
> OpenSSL 1.0.0m detected and contains known vulnerabilities

If the build succeeds, then you likely do not have a vulnerable OpenSSL version in your project.

dilipbirajadar commented 5 years ago

You mean after adding all dependencies in app level gradle and root level gradle then I need to run app if build success then we don't have openssl in project or do not have a vulnerable OpenSSL version in your project.

bherbst commented 5 years ago

After you add the dependency in your build.gradle (I recommend doing it at the app level, but you can also apply it at the root level), then you need to specifically run the checkDebugOpenSsl task. It does not run on all builds by default.

bherbst commented 5 years ago

Unfortunately I cannot provide live 1:1 support.