Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

java-victims-lib version 2 #51

Open
wolferCZ opened this issue Nov 27, 2018 · 7 comments
Open

java-victims-lib version 2 #51

wolferCZ opened this issue Nov 27, 2018 · 7 comments

Comments

@wolferCZ
Copy link

Hello, I am attempting to create a redesigned and update version of this library.
I would like to ask for any help with the redesign.

I am bit confused with some parts of the library and would like to ask you for a help with designing its replacement.

I need help with setting initial goals/library requirements, and I will need someone willing to do essentially code reviews.

For now, I created new separate project in https://github.com/wolferCZ/victims-lib-java.
@ashcrow
Copy link
Member

ashcrow commented Nov 27, 2018

/cc @jasinner @gcmurphy

@jasinner
Copy link
Member

jasinner commented Nov 27, 2018 via email

@dfj
Copy link
Member

dfj commented Nov 28, 2018 via email

@gcmurphy
Copy link
Contributor

TBH it's been so long since I looked at that code I'd pretty much be coming at it with fresh eyes anyway. From what I remember it tries to provide a consistent way of representing key aspects of the java class bytecode so that the output from two difference compilers would produce the same output when hashed.

The main entry point of that functionality is here - https://github.com/victims/victims-lib-java/blob/master/src/main/java/com/redhat/victims/fingerprint/ClassFile.java#L342

@wolferCZ
Copy link
Author

wolferCZ commented Dec 3, 2018

From what I remember it tries to provide a consistent way of representing key aspects of the java class bytecode so that the output from two difference compilers would produce the same output when hashed.

... yes. It is one of the most/more essential features which has to be preserved.
Tempering with the code normalization can result in change of the result hash (fingerprint) witch can render older entries in Victims database obsolete.

However there are already some tickets regarding the code normalization (see #37).

Anyway normalization in ClassFile.java seemed to me a bit confusing
so I already moved it into separate util class https://github.com/wolferCZ/victims-lib-java/blob/master/src/main/java/com/redhat/victims/vlk/utils/ByteCodeNormalizer.java.
It should make creating an alternative implementations relatively easy.

@wolferCZ
Copy link
Author

wolferCZ commented Dec 3, 2018
edited
Loading

From what I gathered, the library:

After this library takes care of posting the results into Victims database.

The library also takes care of downloading, searching, and updating a private copy of Victims database ... i.e. cache.

Since than the Victims database moved to utilizing a Git repository instead of on-line service.

In conclusion the new version of library should offer:

  • Parsing compiled code into VictimsRecord
  • Comparing VictimsRecords
  • Database/cache functions
    • Pulling git repository (alternatively using just path to cloned repository)
    • Searching database for given hashes

Other functionality:

  • Parsing Yaml victims records into database/cache
  • Serializing VictimsRecords into Yaml files (eligible for storing in victims/victims-cve-db)

@wolferCZ
Copy link
Author

wolferCZ commented Dec 4, 2018

I have a question. Anybody remembers why is .jar parsed into Artifact before it can be parsed (flattened) into VictimsRecord?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ashcrow @gcmurphy @jasinner @dfj @wolferCZ