• 【SCA 开源组件漏洞整改】记录遇到的问题


    SCA 开源漏洞整改

    使用到的工具

    1. MavenRunHelper 插件
    2. Maven类库:用于查询引入的类库是否存在漏洞

    MavenRunHelper 插件

    打开项目里的 pom.xml 文件,就可以看到打开的 pom.xml 文件的左下角有一个 Dependency Analyzer 选项卡(如下图所示)
    在这里插入图片描述
    选择 “All Dependency as Tree”,输入想要搜索的依赖名称,在下方可以看到依赖被引用的依赖,点击 Jump to Source 就可以看到具体的信息了

    Maven类库:用于查询引入的类库是否存在漏洞

    在这里插入图片描述
    在这里插入图片描述
    如果发现该依赖存在漏洞,则换个版本或使用其它的依赖

    操作及遇到的问题

    将spring-cloud-netflix组件去除:如何将parent形式引入的父pom中去除或升级父pom中引入的依赖

    spring-cloud-netflix1.3.0.RELEASE 存在漏洞,jar包引入路径为:

    Source/xxx.war/WEB-INF/lib/spring-cloud-netflix-eureka-client-1.3.0.RELEASE.jar
    Source/xxx.war/WEB-INF/lib/spring-cloud-netflix-eureka-client-1.3.0.RELEASE.jar/META-INF/maven/org.springframework.cloud/spring-cloud-netflix-eureka-client/pom.xml
    Source/xxx.war/WEB-INF/lib/spring-cloud-netflix-core-1.3.0.RELEASE.jar
    Source/xxx.war/WEB-INF/lib/spring-cloud-netflix-core-1.3.0.RELEASE.jar/META-INF/maven/org.springframework.cloud/spring-cloud-netflix-core/pom.xml
    
    • 1
    • 2
    • 3
    • 4

    由此,可以看出:如果在项目中确实有使用到这两个jar包的内容,则升级到推荐版本或是最新版本;如果没有使用到的话,可以exclusion排除jar包

    1. spring-cloud-netflix组件其实并没有真正使用,只是被引入了,所以可以去掉
    2. 该组件在 父pom microframework-parent 中引入,而 microframework-parent 是使用 parent 形式引入的(如下所示),需要exclusion它的话,必须将 parent 标签 改成 dependency 的形式,才能进行exclusion
    <parent>
    	<groupId>com.xxxx.xxx/groupId>
    	<artifactId>microframework-parent</artifactId>
    	<version>0.1.0.29</version>
    </parent>
    
    • 1
    • 2
    • 3
    • 4
    • 5

    经过尝试后发现,必须写成如下形式,<dependencyManagement> 中进行定义 microframework-parent (否则,idea右侧的maven Project 中展示的项目Dependencies会出现问题) ,在 <dependencies> 中进行实际的排除 (真实打包jar包中缺少-可以在左侧的External Libraries中观察到,运行报错)

    <dependencyManagement>
    	<dependencies>
    		<dependency>
    			<groupId>com.xxxx.xxx</groupId>
    			<artifactId>microframework-parent</artifactId>
    			<version>0.1.0.29</version>
    			<type>pom</type>
    			<scope>import</scope>
    		</dependency>
    	</dependencies>
    </dependencyManagement>
    
    <dependencies>
    	<dependency>
    		<groupId>com.xxxx.xxx</groupId>
    		<artifactId>microframework-parent</artifactId>
    		<version>0.1.0.29</version>
    		<exclusions>
    			<exclusion>
    				<groupId>org.spring.framework.cloud</groupId>
    				<artifactId>spring-cloud-starter-eureka</artifactId>
    			<exclusion>
    		<exclusion>
    	</dependency>
    </dependencies>
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25

    将poi 组件(4.1.2)升级为 5.2.2 版本 :java.lang.NoSuchFieldError:Factory

    easyexcel3.1.1自带的poi和poi-ooxml是4.1.2版本的,排除这两个包,引入5.2.2版本的

    <dependency>
    	<groupId>com.alibaba</groupId>
    	<artifactId>easyexcel</artifactId>
    	<version>3.1.1</version>
    	<exclusions>
    		<exclusion>
    			<artifactId>poi</artifactId>
    			<groupId>org.apache.poi</groupId>
    		</exclusion>
    		<exclusion>
    			<artifactId>poi-ooxml</artifactId>
    			<groupId>org.apache.poi</groupId>
    		</exclusion>
    	</exclusions>
    </dependency>
    
    <dependency>
    	<groupId>org.apache.poi</groupId>
    	<artifactId>poi</artifactId>
    	<version>5.2.2</version>
    	<scope>compile</scope>
    </dependency>
    
    <dependency>
    	<groupId>org.apache.poi</groupId>
    	<artifactId>poi-ooxml</artifactId>
    	<version>5.2.2</version>
    	<scope>compile</scope>
    </dependency>
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29

    然后就会出现如下所示的报错信息:

    com.alibaba.excel.exception.ExcelAnalysisException:java.lang.NoSuchFieldError:Factory
    	at com.alibaba.excel.analysis.ExcelAnalyserImpl.<init>(ExcelAnalyserImpl.java:61)~[easyexcel-core-3.1.1.jar:?]
    	at com.alibaba.excel.ExcelReader.<init>(ExcelReader.java:27)~[easyexcel-core-3.1.1.jar:?]
    	at com.alibaba.excel.read.builder.ExcelReaderBuilder.build(ExcelReaderBuilder.java:202) ~[easyexcel-core-3.1.1.jar:?]
    	at com.alibaba.excel.read.builder.ExcelReaderBuilder.sheet(ExcelReaderBuilder.java:239)
    [easyexcel-core-3.1.1.jar:?]
    com.alibaba.excel.read.builder.ExcelReaderBuilder.sheet(ExcelReaderBuilder.java:227)
    ~[easyexcel-core-3.1.1.jar:?]
    	at com.xxxxxxxxxxxxxxxxxx.asfservice.xxxxxxxxxImpl.singTreat(xxxxxAsfServicexxxxxxImpl.java:108) ~[classes/:0.1.0.29]
    	at com.xxxx.xxx.service.impl.DefaultAbTreatservice.single(DefaultAbTreatservice.java:229) ~[xx-xx-x-1.2.1.0.jar:?]
    	at com.xxxx.xxx.service.impl.DefaultAbTreatservice.singleTreat(DefaultAbTreatservice.java:76) ~[xx-xx-x-1.2.1.0.jar:?]
    	at com.xxxx.xxx.service.impl.ThreadPoolAbMessageservice.sendExe(ThreadPoolAbMessageservice.java:86) ~[xx-xx-x-1.2.1.0.jar:?]
    	at com.xxxx.xxx.schedule.DefaultInstanceRunnable.run(DefaultInstanceRunnable.java:99) ~[xx-xx-x-1.2.1.0.jar:?]
    	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_191]
    	at java.util.concurrent.ThreadPoolExecutorsworker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_191]
    	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_191]
    Caused by:
    java.lang.NoSuchFieldError:Factory
    	at org.apache.poi.xssf.model.StylesTable.readFrom(StylesTable.java:219)~[poi-ooxml-5.2.2.jar:5.2.2]
    	at org.apache.poi.xssf.model.StylesTable.<init>(StylesTable.java:159)~[poi-ooxml-5.2.2.jar:5.2.2]
    	at org.apache.poi.xssf.eventusermodel.XSSFReader.getstylesTable(XSSFReader.java:166)~[poi-ooxml-5.2.2.jar:5.2.2]
    	at com.alibaba.excel.analysis.v07.XlsxSaxAnalyser.setstylesTable(XlsxSaxAnalyser.java:149)~[easyexcel-core-3.1.1.jar:?]
    	at com.alibaba.excel.analysis.v07.XlsxSaxAnalyser.<init>(XlsxSaxAnalyser.java:106)~[easyexcel-core-3.1.1.jar:?]
    	at com.alibaba.excel.analysis.ExcelAnalyserImpl.choiceExcelExecutor(ExcelAnalyserImpl.java:103)~[easyexcel-core-3.1.1.jar:?]
    	at com.alibaba.excel.analysis.ExcelAnalyserImp.<init>(ExceLAnalyserImpl.java:55)~[easyexcel-core-3.1.1.jar:?]
    	... 12 more
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26

    原因:poi-ooxml-schemas 和 poi-ooxml-lite 冲突

    1. 引入的 poi-ooxml 5.2.2 版本里使用到了 poi-ooxml-lite 5.2.2 依赖
    2. 5.0.0 版本起,原来的 poi-ooxml-schemas 改名为 poi-ooxml-lite
    3. easyexcel 3.1.1 中使用到了 poi-ooxml-schemas 依赖

    maven clean问题:A required class was missing while executing org.apache.maven.plugins:3.1.0:clean:org/apache/maven/shared/utils/0s

    maven clean时,遇到如下错误:

    [ERROR] Failed to execute goal org.apache.maven.plugins:maven-clean-plugin:3.1.0:clean (default-compile) on project [项目名称]: Execution default-clean of goal org.apache.maven.plugins:maven-clean-plugin:3.1.0:cleanfailed: A required class was missing while executing org.apache.maven.plugins:3.1.0:clean:org/apache/maven/shared/utils/0s
    [ERROR] --------------------------------------------------------------------------------
    [ERROR] realm =    plugin>org.apache.maven.plugins:maven-clean-plugin:3.1.0
    [ERROR] strategy = org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy
    [ERROR] urls[0] = file:/H:/Chandra/settings/maven/repository/org/apache/maven/plugins/maven-clean-plugin/3.1.0/maven-compiler-plugin-3.1.0.jar
    [ERROR] urls[1] = file:/H:/Chandra/settings/maven/repository/org/codehaus/plexus/plexus-utils/1.1/plexus-utils-1.1.jar
    [ERROR] Number of foreign imports: 1
    [ERROR] import: Entry[import  from realm ClassRealm[maven.api, parent: null]]
    [ERROR] ------------------------------------:org.apache.maven.plugins:3.1.0:clean:org/apache/maven/shared/utils/0s
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9

    解决步骤:

    1. 在pom.xml中 <plugins> 中插入:
      <plugin>           
      	<groupId>org.apache.maven.plugins</groupId>
          <artifactId>maven-clean-plugin</artifactId>
          <version>3.0.0</version>
      </plugin>
      
      • 1
      • 2
      • 3
      • 4
      • 5
    2. 再次执行clean操作,正常完成clean操作

    log4j 升级为 log4j2

    <!-- add log4j2 version start-->
    <dependency>
    	<groupId>org.apache.loging.log4j</groupId>
    	<artifactId>log4j-1.2-api</artifactId>
    	<version>2.17.2</version>
    	<exclusions>
    		<exclusion>
    			<artifactId>log4j-api</artifactId>
    			<groupId>org.apache.loging.log4j</groupId>
    		</exclusion>
    	</exclusions>
    </dependency>
    
    <dependency>
    	<groupId>org.apache.loging.log4j</groupId>
    	<artifactId>log4j-slf4j-impl</artifactId>
    	<version>2.17.2</version>
    	<exclusions>
    		<exclusion>
    			<artifactId>log4j</artifactId>
    			<groupId>log4j</groupId>
    		</exclusion>
    	</exclusions>
    </dependency>
    
    <dependency>
    	<groupId>org.apache.loging.log4j</groupId>
    	<artifactId>log4j-core</artifactId>
    	<version>2.17.2</version>
    	<exclusions>
    		<exclusion>
    			<artifactId>log4j-api</artifactId>
    			<groupId>org.apache.loging.log4j</groupId>
    		</exclusion>
    	</exclusions>
    </dependency>
    
    <dependency>
    	<artifactId>log4j-api</artifactId>
    	<groupId>org.apache.loging.log4j</groupId>
    </dependency>
    <!-- add log4j2 version end-->
    
    <!--delete log4j -->
    <denpendency>
    	<group>
    </denpendency>
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
  • 相关阅读:
    直播预告|OceanBase 社区版 4.0 全解析
    YUM退役了?DNF本地源配置
    86双周t4 6143. 预算内的最多机器人数目 周赛309 t4 6170. 会议室 III
    SpringBoot登入页面图片验证码
    java+idea+mysql采用医疗AI自然语言处理技术的3D智能导诊导系统源码
    【TcaplusDB知识库】TcaplusDB-tcapulogmgr工具介绍(二)
    【《On Java 8》学习之路——复用】知识点整理分享
    记一次 .NET某工控 宇宙射线 导致程序崩溃分析
    链霉亲和素修饰聚苯乙烯微球,streptavidin修饰聚苯乙烯微球
    ES 中时间日期类型 “yyyy-MM-dd HHmmss” 的完全避坑指南
  • 原文地址:https://blog.csdn.net/qq_41601960/article/details/125529975