android - How to determine which dependency causes Google Play OpenSSL warning? -

-

i'm working on big legacy project , trying fix openssl vulnerability issue explained @ how address openssl vulnerabilities in apps.

the problem is, there lot of dependencies, open source (i updated didn't break compatibility) added gradle import, custom/closed source provided partners , contractors of company work , attached project jars.

is there way pinpoint specific library has vulnerability? used bash script provided @ google play , openssl warning message , points 1 native dependency (actually .so file). there option pinpoint actual dependency there?

is there option pinpoint actual dependency there?

yes, need know offending openssl version , need grep. windows find won't do.

first, take note of offending openssl version. sake of argument, due openssl 1.0.1h.

next, gather list of dependencies , top level folders. sake of argument, $home/desktop/aosp-app, $home/sdk-a, /usr/local/sdk-b , /opt/local/sdk-c.

finally, top level directories:

grep -r '1.0.1h' "$home/desktop/aosp-app" grep -r '1.0.1h' "$home/sdk-a" grep -r '1.0.1h' /usr/local/sdk-b grep -r '1.0.1h' /opt/local/sdk-c

you don't need grep -ir, case insensitive (-i) recursive (-r) search. don't need grep -ir, recursive (-r) search skips binary files (-i).

all of works because openssl library embeds version in data section string. eventually, hit on culprit, sdk comes pre-built shared object includes openssl static library. 1 sdk seems identified frequently, , uses curl built against static openssl library.

if have jar files , suspect them, can perform following quick test:

find <dir> -name '*.jar' -exec grep -r '1.0.1h' {} \;

the command in directory <dir> , subdirectories. search files *.jar extension. when finds one, run grep on looking string. find every *.jar finds.


Comments

Post a Comment

Popular posts from this blog

java - Static nested class instance -

-
this question has answer here: java inner class , static nested class 23 answers i came across in java, know static nested class why create instance of 'static'. isn't whole idea of 'static' use without instance? understand concept of inner classes, why (and frankly how possible to) create 'instance' of 'static' member @ ? why this: 1- outerclass.staticnestedclass nestedobject = new outerclass.staticnestedclass(); 2- nestedobject.anestedclassmethod(); and not this: 1- outerclass outerinstance=new outerclass(); 2- outerinstance.staticnestedclass.anestedclassmethod(); use on inner classes, keyword static indicates can access inner class without instance of outer class. for example: public class outer { public static class inner { /* code here. */ } } with construction, can create instance of inn
Read more

c# - Bluetooth LE CanUpdate Characteristic property -

-
i building xamarin.forms cross platform mobile app, uses monkey.robotics bluetoth low energy functionality. connecting mbed based implimentation of custom gatt service . in xamarin c#, triggers characteristic. canupdate property in monkey.robotics? this standard example c# based on: if (characteristic.canupdate) { characteristic.valueupdated += (s, e) => { debug.writeline("characteristic.valueupdated"); device.begininvokeonmainthread( () => { updatedisplay(characteristic); }); isbusy = false; // spin until first result received }; isbusy = true; characteristic.startupdates(); } this has been working, since changed own custom gatt service connecting to, canupdate property false. property , how triggered? me debugging gatt service code. thanks monkey.robotics open sour
Read more

JavaScript - Replace variable from string in all occurrences -

-
ok, know if have character '-' , want remove in places in string javascript, ... someword = someword.replace(/-/g, ''); but, when applying array of characters, s not working ... const badchars = ('\/:*?"<>|').split(''); let filename = title.replace(/ /g, '-').tolocalelowercase(); (let item = 0; item < badchars.length; item++) { // below not work global '/ /g' filename = filename.replace(/badchars[item]/g, ''); } any ideas? /badchars[item]/g looks badchars , literally, followed i , t , e , or m . if you're trying use character badchars[item] , you'll need use regexp constructor, , you'll need escape regex-specific characters. escaping regular expression has been well-covered . using that: filename = filename.replace(new regexp(regexp.quote(badchars[item]), 'g'), ''); but , don't want that. want character class: let filename = title.replac
Read more