Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
menu search
person
Welcome To Ask or Share your Answers For Others

Categories

I have an Android app that is using some .jar file (libraries). My app is being rejected for OpenSSL vulnerabilities, but can't find the .jar file that contains OpenSSL.

How do I search the .jar files for Openssl on my MAC?

grep Openssl.class /Users/joon/work/androidApp/*.jar

UPDATE===

Here are my dependencies and Jars. When I run the grep command mentioned below it doesn't tell me which jar is the issue just that I have an old version of the OpenSSL. Further, some of the jars below, like Bouncy Castle, whether they have OpenSSL or not, have not been updated since 2013, which is before the OpenSSL security fix. We tried removing each of the jars, one by one, and recompiling + cleaning (commenting out the code so it would compile), but it still says the old OpenSSL is in use. Can anyone point to the culprit below?

JARS:
httpmime-4.1.3.jar
libGoogleAnalyticsServices.jar
opentok-android-sdk-2.3.1.jar
sc-light-jdk15on-1.47.0.2.jar
scpkix-jdk15on-1.47.0.2.jar
scprov-jdk15on-1.47.0.2.jar
socketio.jar


dependencies {
    compile fileTree(dir: 'libs', include: ['*.jar'])
    compile 'com.android.support:appcompat-v7:21.+'
    compile 'com.google.android.gms:play-services-maps:6.5.+'
    compile 'com.crashlytics.android:crashlytics:1.+'
}
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
1.6k views
Welcome To Ask or Share your Answers For Others

1 Answer

How do I search the .jar files for Openssl on my MAC?

You can check the JAR files with the following script:

#!/usr/bin/env bash

JAR_FILES=("httpmime-4.1.3.jar"
           "libGoogleAnalyticsServices.jar"
           "opentok-android-sdk-2.3.1.jar"
           "sc-light-jdk15on-1.47.0.2.jar"
           "scpkix-jdk15on-1.47.0.2.jar"
           "scprov-jdk15on-1.47.0.2.jar"
           "socketio.jar")

for jar_file in "${JAR_FILES[@]}"
do
    echo "************ $jar_file ************"
    grep '1.0.1h' "$jar_file"
done

You should replace the string '1.0.1h' with the vulnerable OpenSSL version being reported to you. Be sure to retain the single quote because the period is a literal in 1.0.1h.


Another way to do it is:

find /Users/joon/work/androidApp/ -name '*.jar' -exec grep 'Openssl.class' {} ;

Or:

find /Users/joon/work/androidApp/ -name '*.jar' -exec grep '1.0.1h' {} ;

On OS X, this is helpful too:

find "$HOME" -name '.DS_Store' -exec rm -f {} ;

It removes those .DS_Store files that get created in every directory and subsequently added to archives like ZIP files.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
...