aspose file tools*
The moose likes Ant, Maven and Other Build Tools and the fly likes can maven verify patch level of third party jar files Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Ant, Maven and Other Build Tools
Bookmark "can maven verify patch level of third party jar files" Watch "can maven verify patch level of third party jar files" New topic
Author

can maven verify patch level of third party jar files

Tim McGuire
Ranch Hand

Joined: Apr 30, 2003
Posts: 820

Hi,

I'm looking for a way to verify that the jar files in a web application have had the latest securty patches applied.
For example, Struts 2 versions before Struts 2.3.1.1 have a security hole (https://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/)

I'm looking for an automated way to scan an existing, deployed war file for this and other outdated jar versions.

Eventually the goal is to integrate this scan into our build sequence.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16054
    
  21

"Patch levels" for Maven-controlled projects are somewhat of a contradiction. Maven is based on the idea of discrete versions of artefacts, not on versions+patches. Patches in the old-fashioned where you could just do a brute-force binary zap are virtually unheard of any more (in part because in modern-day systems, the compilers optimize intensely on every source change).

If you wanted to scan a produced artefact for component versions, I suppose you could create a mojo for that, but it seems like it would probably be simpler to merely change the dependency versions in the POM to their required levels and do a maven clean/rebuild.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: can maven verify patch level of third party jar files