Open jensdietrich opened 1 year ago
There are no .java
files in the candidate artifact's source jar:
wtwhite@wtwhite-vuw-vm:~/code/shadedetector/runs/21_copy_cached_builds_to_final_dir$ cat log110-CVE-2016-6802.log
--snip--
2023-09-26 14:46:55,977 INFO [main] n.a.w.s.Main [Main.java:145] vulnerability verification project is valid
2023-09-26 14:46:55,977 INFO [main] n.a.w.s.Main [Main.java:157] PoV label is 'CVE-2016-6802'
2023-09-26 14:46:55,987 INFO [main] n.a.w.s.Main [Main.java:212] PoV template GAV: org.apache.shiro:shiro-all:1.3.1
2023-09-26 14:46:55,987 INFO [main] n.a.w.s.Main [Main.java:640] using clone detector: ast
2023-09-26 14:46:55,987 INFO [main] n.a.w.s.Main [Main.java:640] using class selector: complexnames
2023-09-26 14:46:55,987 INFO [main] n.a.w.s.Main [Main.java:640] using result consolidation strategy: moreThanOne
2023-09-26 14:46:55,987 INFO [main] n.a.w.s.Main [Main.java:640] using result reporter: log
2023-09-26 14:46:55,993 INFO [main] n.a.w.s.ResultReporterFactory [AbstractServiceLoaderFactory.java:37] Instantiated result reporter csv.details
2023-09-26 14:46:55,994 INFO [main] n.a.w.s.ResultReporterFactory [AbstractServiceLoaderFactory.java:40] Configuring result reporter: csv.details
2023-09-26 14:46:55,994 INFO [main] n.a.w.s.ResultReporterFactory [AbstractServiceLoaderFactory.java:49] set property dir -> details110-CVE-2016-6802
2023-09-26 14:46:56,095 INFO [main] n.a.w.s.Main [Main.java:640] using result reporter: csv.details
2023-09-26 14:46:56,097 INFO [main] n.a.w.s.ResultReporterFactory [AbstractServiceLoaderFactory.java:37] Instantiated result reporter csv.summary
2023-09-26 14:46:56,098 INFO [main] n.a.w.s.ResultReporterFactory [AbstractServiceLoaderFactory.java:40] Configuring result reporter: csv.summary
2023-09-26 14:46:56,098 INFO [main] n.a.w.s.ResultReporterFactory [AbstractServiceLoaderFactory.java:49] set property file -> summary110-CVE-2016-6802.csv
2023-09-26 14:46:56,099 INFO [main] n.a.w.s.Main [Main.java:640] using result reporter: csv.summary
2023-09-26 14:46:56,100 INFO [main] n.a.w.s.Main [Main.java:246] Final dir processing mode: COPY
2023-09-26 14:46:56,100 ERROR [main] n.a.w.s.Main [Main.java:256] progress stats will be written to /home/wtwhite/code/shadedetector/results/stats110-CVE-2016-6802.log
2023-09-26 14:46:56,114 INFO [main] n.a.w.s.ArtifactSearch [ArtifactSearch.java:218] using cached data from /home/wtwhite/code/shadedetector/.cache/artifacts-versions/org.apache.shiro:shiro-all-1.json
2023-09-26 14:46:56,184 INFO [main] n.a.w.s.ArtifactSearch [ArtifactSearch.java:103] 29 versions found of "org.apache.shiro:shiro-all
2023-09-26 14:46:56,206 DEBUG [main] n.a.w.s.ArtifactSearch [Utils.java:125] Unzipping /home/wtwhite/code/shadedetector/.cache/src/org.apache.shiro/shiro-all/1.3.1/shiro-all-1.3.1-sources.jar to /home/wtwhite/code/shadedetector/.cache/ziptmp5287682943225263354, will delete on exit
2023-09-26 14:46:56,234 INFO [main] n.a.w.s.Main [Main.java:295] Restrict search to class names matching: (any)
2023-09-26 14:46:56,235 INFO [main] n.a.w.s.Main [Main.java:301] Restrict cloned artifacts to GAVs matching: (any)
2023-09-26 14:46:56,236 INFO [main] n.a.w.s.Main [Main.java:307] Maximum number of class names to search for: 10
2023-09-26 14:46:56,236 INFO [main] n.a.w.s.Main [Main.java:309] By-class REST API search batch count: 5
2023-09-26 14:46:56,237 INFO [main] n.a.w.s.Main [Main.java:311] By-class REST API search batch size: 200
2023-09-26 14:46:56,237 INFO [main] n.a.w.s.Main [Main.java:313] Minimum number of classes detected as clones needed to trigger compilation and testing: 11
2023-09-26 14:46:56,245 INFO [main] n.a.w.s.Main [Main.java:328] 0 potential matches found
--snip--
wtwhite@wtwhite-vuw-vm:~/code/shadedetector/runs/21_copy_cached_builds_to_final_dir$ unzip -l /home/wtwhite/code/shadedetector/.cache/src/org.apache.shiro/shiro-all/1.3.1/shiro-all-1.3.1-sources.jar
Archive: /home/wtwhite/code/shadedetector/.cache/src/org.apache.shiro/shiro-all/1.3.1/shiro-all-1.3.1-sources.jar
Length Date Time Name
--------- ---------- ----- ----
0 2016-08-19 13:42 META-INF/
136 2016-08-19 13:42 META-INF/MANIFEST.MF
3278 2016-08-19 13:42 META-INF/DEPENDENCIES
11358 2016-08-19 13:42 META-INF/LICENSE
183 2016-08-19 13:42 META-INF/NOTICE
--------- -------
14955 5 files
That cached source jar is correct:
wtwhite@wtwhite-vuw-vm:~/code/shadedetector/runs/21_copy_cached_builds_to_final_dir$ md5sum /home/wtwhite/code/shadedetector/.cache/src/org.apache.shiro/shiro-all/1.3.1/shiro-all-1.3.1-sources.jar
8c21a23bf399363168b34a40e9397914 /home/wtwhite/code/shadedetector/.cache/src/org.apache.shiro/shiro-all/1.3.1/shiro-all-1.3.1-sources.jar
wtwhite@wtwhite-vuw-vm:~/code/shadedetector/runs/21_copy_cached_builds_to_final_dir$ curl https://repo1.maven.org/maven2/org/apache/shiro/shiro-all/1.3.1/shiro-all-1.3.1-sources.jar.md5
8c21a23bf399363168b34a40e9397914
In fact the pom.xml
says
<name>Apache Shiro :: Jar Bundle</name>
<description>Creates a bundled Shiro .jar from the module jars</description>
and includes a maven-shade-plugin
plugin with
<includes>
<include>${project.groupId}:shiro-core</include>
<include>${project.groupId}:shiro-web</include>
<include>${project.groupId}:shiro-ehcache</include>
<include>${project.groupId}:shiro-quartz</include>
<include>${project.groupId}:shiro-spring</include>
</includes>
and not much else, suggesting that we can either:
xshady
to depend on one of these 5 modules instead, and possibly find more hits, orshadedetector
to handle these "bundled" jars.@jensdietrich thoughts? (1) looks easier to me.
What is the actual rest request here (incl the class name used) ? Even if this is an artifact that is not directly associated with sources (but only indirectly via the modules it aggregates), I would expect that classes within this jar still get indexed.
Do you mean the REST call(s) to query for artifacts using classes from the original org.apache.shiro:shiro-all:1.3.1
artifact? There are no such REST calls, because there are no classes to look for, because there are zero *.java
source files in the original artifact to source them from.
Related: #29
atm the initial query returns zero results. Assuming that the original vulnerable component is in the maven repo, this would indicate that the class index is incomplete. Please double check.