Red Hat 계정으로 회원 프로필, 기본 설정 및 고객 상태에 따라 다음의 서비스에 액세스할 수 있습니다.
아직 등록하지 않으셨습니까? 등록해야 하는 이유:
- 한 곳에서 기술 자료 문서를 탐색하고, 지원 사례와 서브스크립션을 관리하고, 업데이트를 다운로드 할 수 있습니다.
- 조직 내의 사용자를 보고, 계정 정보, 기본 설정 및 권한을 편집할 수 있습니다.
- Red Hat 자격증을 관리하고 시험 내역을 조회하며 자격증 관련 로고 및 문서를 다운로드할 수 있습니다.
Red Hat 계정으로 회원 프로필, 기본 설정 및 자신의 고객 상태에 따른 기타 서비스에 액세스할 수 있습니다.
보안을 위해, 공용 컴퓨터 사용 중에 Red Hat 서비스 이용이 끝난 경우 로그아웃하는 것을 잊지 마십시오.로그아웃
This article was originally published on the Red Hat Customer Portal. The information may no longer be current.
The Victims project is a Red Hat initiative that aims to detect known vulnerable dependencies in Java projects and deployments. Our initial focus was Java projects that were built using Maven. The victims-enforcer plug-in for Maven provides developers with immediate feedback if any of their project dependencies contain known vulnerabilities. However, until recently we did not have a good solution for scanning deployments or tools that work outside of a typical build and release cycle. The alpha release of the victims client for Java hopes to fill this gap. The victims client for Java is a simple command line tool that presently has the ability to scan jar files, directories, and pom.xml files for known vulnerabilities. It also allows you to synchronize with the victims project infrastructure and control local settings.
Getting started with the victims client for Java is relatively simple.
- Download the alpha release of the victims tool.
- Build it using the 'mvn clean package' command. You need to have a Java SDK >= 1.5 and Maven installed on your machine.
- Run it: by default, the victims client for Java will compile into a standalone .jar file. This means that you can launch it from the build directory by running '$ java -jar target/victims-client-1.0-SNAPSHOT-standalone.jar'
To simplify the examples we can create an alias:
cp target/victims-client*-standlone.jar ~/.victims
alias victims='java -jar $HOME/.victims/victims-client-1.0-SNAPSHOT-standalone.jar'
The goal of this release has been to present a small subset of capabilities to users with the aim of figuring out what additional features people require. The rest of this article will focus on the various use cases for the client tool.
The first and most important step when using the client is to synchronize with the victims Embedded Vulnerability Detection (EVD) service. This will download all the vulnerability definitions from the remote service, which can take a while. To do this you need to specify the '--update' flag when running the client. Specifying '--update' on subsequent runs of the tool will check to make sure that no additional updates are available.
# Getting updates
$ victims --update
Updating EVD definitions:
# Checking last update time
$ victims --db-status
Database last updated on: Mon Dec 16 14:37:48 EST 2013
With the database up to date, it is now possible to scan jar files. If the victims client for Java test ran during the build, then you should have some example files that you can run the scans against in the '.testdata' directory.
To run a scan against a single jar file, simply provide the file name:
$ victims .testdata/org/springframework/spring/2.5.6/spring-2.5.6.jar
.testdata/org/springframework/spring/2.5.6/spring-2.5.6.jar VULNERABLE! CVE-2009-1190 CVE-2011-2730 CVE-2010-1622
You can also recursively scan a directory for known vulnerable artifacts:
# Warning - this will take a while..
$ victims --recursive ~/.m2
/home/gm/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar VULNERABLE! CVE-2012-5783
/home/gm/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar VULNERABLE! CVE-2009-2625
If you use Maven to build your projects, you can also run the victims client for Java across your entire source directory. Any pom.xml files that are detected will have all dependency Group, Artifact, and Version (GAV) information cross checked against the victims database entries.
That covers the main use cases of the tool. We are looking for alpha testers to help improve the capabilities and iron out any bugs. If you do take the time to test this project out, please give us feedback via raising issues on Github, contacting us on #victi.ms on freenode, or via the development mailing list.
About the author
Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.