aurelienpernoud
commented
2 years ago And thanks A LOT for your tool btw :)
Closed aurelienpernoud closed 2 years ago
aurelienpernoud
commented
2 years ago And thanks A LOT for your tool btw :)
xeraph
commented
2 years ago @aurelienpernoud Good question. At first time, I compressed JAR file as usual. Then I encountered issue #61.
Unable to open nested entry 'BOOT-INF/lib/spring-boot-2.6.1.jar'. It has been compressed and nested jar files must be stored without compression. Please check the mechanism used to create your executable jar file
Contrary to what the error message says, outmost JAR file should not be compressed if JAR files are embedded. Nested files are allowed to be compressed.
If I had more time, I would compressed single jar file without embedded jar files.
jgstew
commented
2 years ago This would be a good enhancement for future consideration, potentially even compressing mitigated files that can be compressed. That said, this probably isn't a huge deal in the very short term.
xeraph
commented
2 years ago @aurelienpernoud @jgstew Resolved in v2.2.2 release. However, it may still be slightly larger than the original version.
I don't know if it's expected, but this commit :
https://github.com/logpresso/CVE-2021-44228-Scanner/commit/41102e57e070700f3fd740ab067b2929f588a07c
also added those lines
So now the patched versions are way bigger than the original file.
No big deal in the end, but it may surprise that the patched file, in the end removing a faulty class, is way bigger than the original ?