search

jensdietrich / shadedetector

Other
0 stars 0 forks source link

check CVE-2016-6802 results #51

Open jensdietrich opened 1 year ago

jensdietrich commented 1 year ago

atm the initial query returns zero results. Assuming that the original vulnerable component is in the maven repo, this would indicate that the class index is incomplete. Please double check.

wtwhite commented 1 year ago

There are no .java files in the candidate artifact's source jar:

wtwhite@wtwhite-vuw-vm:~/code/shadedetector/runs/21_copy_cached_builds_to_final_dir$ cat log110-CVE-2016-6802.log
--snip--
2023-09-26 14:46:55,977 INFO [main] n.a.w.s.Main [Main.java:145] vulnerability verification project is valid
2023-09-26 14:46:55,977 INFO [main] n.a.w.s.Main [Main.java:157] PoV label is 'CVE-2016-6802'
2023-09-26 14:46:55,987 INFO [main] n.a.w.s.Main [Main.java:212] PoV template GAV: org.apache.shiro:shiro-all:1.3.1
2023-09-26 14:46:55,987 INFO [main] n.a.w.s.Main [Main.java:640] using clone detector: ast
2023-09-26 14:46:55,987 INFO [main] n.a.w.s.Main [Main.java:640] using class selector: complexnames
2023-09-26 14:46:55,987 INFO [main] n.a.w.s.Main [Main.java:640] using result consolidation strategy: moreThanOne
2023-09-26 14:46:55,987 INFO [main] n.a.w.s.Main [Main.java:640] using result reporter: log
2023-09-26 14:46:55,993 INFO [main] n.a.w.s.ResultReporterFactory [AbstractServiceLoaderFactory.java:37] Instantiated result reporter csv.details
2023-09-26 14:46:55,994 INFO [main] n.a.w.s.ResultReporterFactory [AbstractServiceLoaderFactory.java:40] Configuring result reporter: csv.details
2023-09-26 14:46:55,994 INFO [main] n.a.w.s.ResultReporterFactory [AbstractServiceLoaderFactory.java:49]    set property dir -> details110-CVE-2016-6802
2023-09-26 14:46:56,095 INFO [main] n.a.w.s.Main [Main.java:640] using result reporter: csv.details
2023-09-26 14:46:56,097 INFO [main] n.a.w.s.ResultReporterFactory [AbstractServiceLoaderFactory.java:37] Instantiated result reporter csv.summary
2023-09-26 14:46:56,098 INFO [main] n.a.w.s.ResultReporterFactory [AbstractServiceLoaderFactory.java:40] Configuring result reporter: csv.summary
2023-09-26 14:46:56,098 INFO [main] n.a.w.s.ResultReporterFactory [AbstractServiceLoaderFactory.java:49]    set property file -> summary110-CVE-2016-6802.csv
2023-09-26 14:46:56,099 INFO [main] n.a.w.s.Main [Main.java:640] using result reporter: csv.summary
2023-09-26 14:46:56,100 INFO [main] n.a.w.s.Main [Main.java:246] Final dir processing mode: COPY
2023-09-26 14:46:56,100 ERROR [main] n.a.w.s.Main [Main.java:256] progress stats will be written to /home/wtwhite/code/shadedetector/results/stats110-CVE-2016-6802.log
2023-09-26 14:46:56,114 INFO [main] n.a.w.s.ArtifactSearch [ArtifactSearch.java:218] using cached data from /home/wtwhite/code/shadedetector/.cache/artifacts-versions/org.apache.shiro:shiro-all-1.json
2023-09-26 14:46:56,184 INFO [main] n.a.w.s.ArtifactSearch [ArtifactSearch.java:103]    29 versions found of "org.apache.shiro:shiro-all
2023-09-26 14:46:56,206 DEBUG [main] n.a.w.s.ArtifactSearch [Utils.java:125] Unzipping /home/wtwhite/code/shadedetector/.cache/src/org.apache.shiro/shiro-all/1.3.1/shiro-all-1.3.1-sources.jar to /home/wtwhite/code/shadedetector/.cache/ziptmp5287682943225263354, will delete on exit
2023-09-26 14:46:56,234 INFO [main] n.a.w.s.Main [Main.java:295] Restrict search to class names matching: (any)
2023-09-26 14:46:56,235 INFO [main] n.a.w.s.Main [Main.java:301] Restrict cloned artifacts to GAVs matching: (any)
2023-09-26 14:46:56,236 INFO [main] n.a.w.s.Main [Main.java:307] Maximum number of class names to search for: 10
2023-09-26 14:46:56,236 INFO [main] n.a.w.s.Main [Main.java:309] By-class REST API search batch count: 5
2023-09-26 14:46:56,237 INFO [main] n.a.w.s.Main [Main.java:311] By-class REST API search batch size: 200
2023-09-26 14:46:56,237 INFO [main] n.a.w.s.Main [Main.java:313] Minimum number of classes detected as clones needed to trigger compilation and testing: 11
2023-09-26 14:46:56,245 INFO [main] n.a.w.s.Main [Main.java:328] 0 potential matches found
--snip--
wtwhite@wtwhite-vuw-vm:~/code/shadedetector/runs/21_copy_cached_builds_to_final_dir$ unzip -l /home/wtwhite/code/shadedetector/.cache/src/org.apache.shiro/shiro-all/1.3.1/shiro-all-1.3.1-sources.jar
Archive:  /home/wtwhite/code/shadedetector/.cache/src/org.apache.shiro/shiro-all/1.3.1/shiro-all-1.3.1-sources.jar
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2016-08-19 13:42   META-INF/
      136  2016-08-19 13:42   META-INF/MANIFEST.MF
     3278  2016-08-19 13:42   META-INF/DEPENDENCIES
    11358  2016-08-19 13:42   META-INF/LICENSE
      183  2016-08-19 13:42   META-INF/NOTICE
---------                     -------
    14955                     5 files
wtwhite commented 1 year ago

That cached source jar is correct:

wtwhite@wtwhite-vuw-vm:~/code/shadedetector/runs/21_copy_cached_builds_to_final_dir$ md5sum /home/wtwhite/code/shadedetector/.cache/src/org.apache.shiro/shiro-all/1.3.1/shiro-all-1.3.1-sources.jar
8c21a23bf399363168b34a40e9397914  /home/wtwhite/code/shadedetector/.cache/src/org.apache.shiro/shiro-all/1.3.1/shiro-all-1.3.1-sources.jar
wtwhite@wtwhite-vuw-vm:~/code/shadedetector/runs/21_copy_cached_builds_to_final_dir$ curl https://repo1.maven.org/maven2/org/apache/shiro/shiro-all/1.3.1/shiro-all-1.3.1-sources.jar.md5
8c21a23bf399363168b34a40e9397914

In fact the pom.xml says

<name>Apache Shiro :: Jar Bundle</name>
<description>Creates a bundled Shiro .jar from the module jars</description>

and includes a maven-shade-plugin plugin with

<includes>
<include>${project.groupId}:shiro-core</include>
<include>${project.groupId}:shiro-web</include>
<include>${project.groupId}:shiro-ehcache</include>
<include>${project.groupId}:shiro-quartz</include>
<include>${project.groupId}:shiro-spring</include>
</includes>

and not much else, suggesting that we can either:

  1. refine the original PoV in xshady to depend on one of these 5 modules instead, and possibly find more hits, or
  2. extend shadedetector to handle these "bundled" jars.

@jensdietrich thoughts? (1) looks easier to me.

jensdietrich commented 1 year ago

What is the actual rest request here (incl the class name used) ? Even if this is an artifact that is not directly associated with sources (but only indirectly via the modules it aggregates), I would expect that classes within this jar still get indexed.

wtwhite commented 1 year ago

Do you mean the REST call(s) to query for artifacts using classes from the original org.apache.shiro:shiro-all:1.3.1 artifact? There are no such REST calls, because there are no classes to look for, because there are zero *.java source files in the original artifact to source them from.

wtwhite commented 1 year ago

Related: #29