This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Ant, Maven and Other Build Tools and the fly likes can maven verify patch level of third party jar files Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Ant, Maven and Other Build Tools
Bookmark "can maven verify patch level of third party jar files" Watch "can maven verify patch level of third party jar files" New topic
Author

can maven verify patch level of third party jar files

Tim McGuire
Ranch Hand

Joined: Apr 30, 2003
Posts: 820

Hi,

I'm looking for a way to verify that the jar files in a web application have had the latest securty patches applied.
For example, Struts 2 versions before Struts 2.3.1.1 have a security hole (https://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/)

I'm looking for an automated way to scan an existing, deployed war file for this and other outdated jar versions.

Eventually the goal is to integrate this scan into our build sequence.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15950
    
  19

"Patch levels" for Maven-controlled projects are somewhat of a contradiction. Maven is based on the idea of discrete versions of artefacts, not on versions+patches. Patches in the old-fashioned where you could just do a brute-force binary zap are virtually unheard of any more (in part because in modern-day systems, the compilers optimize intensely on every source change).

If you wanted to scan a produced artefact for component versions, I suppose you could create a mojo for that, but it seems like it would probably be simpler to merely change the dependency versions in the POM to their required levels and do a maven clean/rebuild.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: can maven verify patch level of third party jar files
 
Similar Threads
How do I identify the version of xerces/xalan contained in jar?
Unable to load tag handler class !!
unable to find servlet.jar
java.lang.NoClassDefFoundError: javax/servlet/jsp/jstl/core/Config, but I included the jstl jars
The absolute uri cannot be resolved in either web.xml or the jar files