add dependency

JavaProbe/JavaProbe.iml

@@ -11,6 +11,10 @@
     <orderEntry type="sourceFolder" forTests="false" />
     <orderEntry type="library" name="gson-2.7" level="project" />
     <orderEntry type="library" name="bcprov-jdk15on-162" level="project" />
+    <orderEntry type="library" name="spring-boot-loader-2.1.3.RELEASE" level="project" />
+    <orderEntry type="library" scope="TEST" name="Maven: junit:junit:4.12" level="project" />
+    <orderEntry type="library" scope="TEST" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-loader:2.1.3.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: commons-io:commons-io:2.6" level="project" />
   </component>
 </module>

JavaProbe/pom.xml

@@ -3,7 +3,6 @@
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
-
     <groupId>groupId</groupId>
     <artifactId>JavaProb</artifactId>
     <version>1.0-SNAPSHOT</version>
@@ -15,17 +14,17 @@
             <version>4.12</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <version>2.6</version>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-loader</artifactId>
             <version>2.1.3.RELEASE</version>
-            <scope>provided</scope>
+    </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.6</version>
         </dependency>
+
     </dependencies>
 
-</project>
+</project>

JavaProbe/src/entity/DependencyInfo.java

@@ -0,0 +1,39 @@
+package entity;
+
+/**
+ * @author fate
+ * @date 2019-11-12 下午6:30
+ * 依赖信息实体
+ */
+public class DependencyInfo {
+
+    private String version;
+
+    private String groupId;
+
+    private String artifactId;
+
+    public String getVersion() {
+        return version;
+    }
+
+    public void setVersion(String version) {
+        this.version = version;
+    }
+
+    public String getGroupId() {
+        return groupId;
+    }
+
+    public void setGroupId(String groupId) {
+        this.groupId = groupId;
+    }
+
+    public String getArtifactId() {
+        return artifactId;
+    }
+
+    public void setArtifactId(String artifactId) {
+        this.artifactId = artifactId;
+    }
+}

JavaProbe/src/entity/JvmInfo.java

@@ -1,5 +1,6 @@
 package entity;
 
+import java.security.PrivateKey;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -35,6 +36,16 @@ public class JvmInfo {
 
     private Map<String,String> jarPathMap = new HashMap<String, String>(); // 存放可能存在jar的路径呀
 
+    private List<DependencyInfo> dependencyInfoList = new ArrayList<DependencyInfo>(); // 存放jar包依赖，用于生成依赖文件，方便对整个应用进行漏洞跟踪
+
+    public List<DependencyInfo> getDependencyInfoList() {
+        return dependencyInfoList;
+    }
+
+    public void setDependencyInfoList(List<DependencyInfo> dependencyInfoList) {
+        this.dependencyInfoList = dependencyInfoList;
+    }
+
     public String getExceTime() {
         return exceTime;
     }

JavaProbe/src/maven/EasyJarHandle.java

@@ -0,0 +1,67 @@
+package maven;
+
+import common.CommonUtil;
+import entity.DependencyInfo;
+
+import java.io.File;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Properties;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+
+/**
+ * @author fate
+ * @date 2019-11-22 下午12:05
+ */
+public class EasyJarHandle {
+
+    /**
+     * 获取依赖信息
+     * @param jarpath jar文件路径
+     * @param dependencyInfoList 存放依赖包数据的list
+     * @return
+     */
+    public static List<DependencyInfo> getDependencyInfo(String jarpath, List<DependencyInfo> dependencyInfoList) {
+
+        try {
+
+            File jarDict = new File(jarpath.replace("file:","").replace("WEB-INF/classes/", "WEB-INF/lib/"));
+
+            for (File file : jarDict.listFiles()) {
+
+                if (file.isFile() && file.getName().endsWith(".jar")) {
+
+                    JarFile jarFile = new JarFile(file);
+
+                    Enumeration<JarEntry> jarEntryEnumeration = jarFile.entries();
+
+                    while (jarEntryEnumeration.hasMoreElements()) {
+
+                        JarEntry jarEntry= jarEntryEnumeration.nextElement();
+
+                        if (jarEntry.getName().endsWith("/pom.properties")) {
+
+                            Properties prop = new Properties();
+                            prop.load(jarFile.getInputStream(jarEntry));
+
+                            DependencyInfo dependencyInfo = new DependencyInfo(); // 存放依赖信息
+                            dependencyInfo.setArtifactId(prop.getProperty("artifactId"));
+                            dependencyInfo.setGroupId(prop.getProperty("groupId"));
+                            dependencyInfo.setVersion(prop.getProperty("version"));
+
+                            dependencyInfoList.add(dependencyInfo);
+                        }
+                    }
+                }
+            }
+        }
+        catch (Exception e) {
+
+            CommonUtil.writeStr("/tmp/jvm_error.txt","getDependencyInfo_byeasy:\t" + e.getMessage());
+        }
+
+        return dependencyInfoList;
+    }
+
+}

JavaProbe/src/maven/FatJarHandle.java

@@ -0,0 +1,106 @@
+package maven;
+import common.CommonUtil;
+import entity.DependencyInfo;
+import org.springframework.boot.loader.jar.JarFile; // 偷懒 直接使用springboot的
+import java.io.File;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Properties;
+import java.util.jar.JarEntry;
+
+/**
+ * @author fate
+ * @date 2019-11-22 上午11:38
+ * 用于处理fat jar资源的获取
+ */
+public class FatJarHandle {
+
+    /**
+     * fat jar 依赖文件的获取，多用于处理springboot打包的jar 传入的path是这样的 jar:file:/home/q/system/java/live/build/libs/live-33541.a12ed7cc.jar!/BOOT-INF/classes!/
+     * @param jarpath
+     * @param dependencyInfoList
+     * @return
+     */
+    public static List<DependencyInfo> getDependencyInfo(String jarpath, List<DependencyInfo> dependencyInfoList) {
+
+        try {
+
+            JarFile jarFile = new JarFile(new File(getROOTJar(jarpath)));
+
+            Enumeration<JarEntry> jarEntryEnumeration = jarFile.entries();
+
+            while (jarEntryEnumeration.hasMoreElements()) {
+
+                JarEntry jarEntry = jarEntryEnumeration.nextElement();
+
+                if (jarEntry.getName().endsWith(".jar")) { // 这里就暂时不匹配BOOT-INF/lib，考虑通用性
+
+                    JarFile inJarFile = jarFile.getNestedJarFile(jarEntry);
+                    DependencyInfo dependencyInfo = getJarInJardependcyInfo(inJarFile); // 获取资源
+
+                    if (dependencyInfo != null) dependencyInfoList.add(dependencyInfo);
+
+                }
+            }
+
+        }
+        catch (Exception e) {
+
+            CommonUtil.writeStr("/tmp/jvm_error.txt","getDependencyInfo:\t" + e.getMessage());
+        }
+
+        return dependencyInfoList;
+    }
+
+    /**
+     * 获取Jarinjar中的资源
+     * @param jarFile
+     * @return
+     */
+    public static DependencyInfo getJarInJardependcyInfo(JarFile jarFile) {
+
+        try {
+
+            Enumeration<JarEntry> jarEntryEnumeration = jarFile.entries();
+
+            while (jarEntryEnumeration.hasMoreElements()) {
+
+                JarEntry jarEntry= jarEntryEnumeration.nextElement();
+
+                if (jarEntry.getName().endsWith("/pom.properties")) {
+
+                    Properties prop = new Properties();
+                    prop.load(jarFile.getInputStream(jarEntry));
+
+                    DependencyInfo dependencyInfo = new DependencyInfo(); // 存放依赖信息
+                    dependencyInfo.setArtifactId(prop.getProperty("artifactId"));
+                    dependencyInfo.setGroupId(prop.getProperty("groupId"));
+                    dependencyInfo.setVersion(prop.getProperty("version"));
+
+                    return dependencyInfo;
+                }
+            }
+
+        }
+        catch (Exception e) {
+
+            CommonUtil.writeStr("/tmp/jvm_error.txt","getJarInJardependcyInfo:\t" + e.getMessage());
+        }
+
+        return null;
+
+    }
+
+    /**
+     * 获取rootjar资源路径
+     * @param jarPath
+     * @return
+     */
+    public static String getROOTJar(String jarPath) {
+
+        jarPath = jarPath.split(".jar!/")[0].replace("jar:file:","");
+
+        return jarPath + ".jar";
+    }
+
+}

JavaProbe/src/maven/MavenHandle.java

@@ -0,0 +1,54 @@
+package maven;
+
+import common.CommonUtil;
+import entity.DependencyInfo;
+import entity.JvmInfo;
+import org.springframework.boot.loader.jar.Handler;
+
+import java.util.*;
+
+/**
+ * @author fate
+ * @date 2019-11-08 上午12:31
+ * 从jvm实例中构建pom.xml
+ */
+public class MavenHandle extends Handler {
+
+    /**
+     * 获取jar读取到的依赖 用于针对于应用的漏洞(风险)管理
+     * @param jvmInfo
+     * @return
+     */
+    public JvmInfo getMavenResult(JvmInfo jvmInfo) {
+
+        try {
+
+            List<DependencyInfo> dependencyInfos = new ArrayList<DependencyInfo>();
+
+            for(Map.Entry<String, String> entry : jvmInfo.getJarPathMap().entrySet()){
+
+                String targetJar = entry.getKey().trim();
+
+                if (targetJar.endsWith("!/")) {
+
+                    FatJarHandle.getDependencyInfo(targetJar,dependencyInfos);
+                    //System.out.println("胖头鱼走起");
+                }
+                else {
+
+                    EasyJarHandle.getDependencyInfo(targetJar,dependencyInfos);
+                    //System.out.println("easyjar 走起");
+                }
+            }
+
+            jvmInfo.setDependencyInfoList(dependencyInfos);
+        }
+        catch (Exception e) {
+
+            CommonUtil.writeStr("/tmp/jvm_error.txt","getMavenResult:\t" + e.getMessage());
+        }
+
+        return jvmInfo;
+    }
+}
+