You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+8-1Lines changed: 8 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,7 +45,6 @@ Java programs are frequently:
45
45
46
46
Consquently, _*any*_ library a Java project is using can include the vulnerability into your project. An in-depth bytecode analysis helps, which is what we publish as part of this repository.
47
47
48
-
49
48
## How the script works
50
49
1. Extract pom.xml files from .jar
51
50
2. check declared dependencies against a [pre-computed list](src/main/resources/VulnerableGavs.csv) of affected groupId:artifactId:version list for artifacts hosten on Maven Central
@@ -59,6 +58,10 @@ To build this tool run
59
58
60
59
`mvn compile`
61
60
61
+
For assembling a runnable `jar` use
62
+
63
+
`mvn clean compile assembly:single`
64
+
62
65
## Precomputed Hashes of Vulnerable Classes
63
66
64
67
The set of vulnerable hashes for classes has been pre-compute on entire [Maven Central](https://mvnrepository.com/repos/central) repository. The hashes of the classes contain all hashes that we identified as bytecode-similiar using the Fingerprinting technology.
@@ -82,6 +85,10 @@ Details on the technology are found in the paper [SootDiff](https://dl.acm.org/d
82
85
83
86
*Note: For a simpler roll out, this repository does ship SHA hashes of the vulnerable classes, the information has been computed using Fingerprinting*
84
87
88
+
## Disclaimers
89
+
90
+
The list of hashes and maven artifacts is not complete. We'll regularly update the lists.
0 commit comments