Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Scanning EAR or WAR files

How to use Meterian to scan EAR or WAR files

The Meterian scanner can be used to scan EAR or WAR files when those contain jar files. In order to do that, however, the files must be unpacked in a folder so that, later, the Meterian Client can be used to execute a binary scan against that.

Please note that it's now possible to avoid unpacking the files using the Binaries scanner that, however, has a wider range of operation.

In order to do this consistently, Meterian provides a simple supporting script, ant-unpack.sh, that given an EAR or a WAR file, it will extract all jars contained in the archive ti a folder specified by the user (or the current folder if not specified). At that point, the Meterian Client can be used to execute a scan of the components. The script will also provide a dummy build.xml file to trigger the Ant plugin of the scanner, which will the identify the JARs using binary/signature detection.

Note that some of those jar files may be legacy versions, so the system may take some time to resolve them. This is absolutely normal, and it happens only the first time, as later their information will be stored on the Meterian SAAS servers. If, under these conditions, the client times out, you can always relaunch it.

Usage example

First expand the war file in directory:

$ ~/ant-unpack.sh ./target/cargo-tracker.war /tmp/test

Archive:  ./target/cargo-tracker.war
  inflating: /tmp/test/WEB-INF/lib/h2-2.2.220.jar  
  inflating: /tmp/test/WEB-INF/lib/primefaces-12.0.0-jakarta.jar  
  inflating: /tmp/test/WEB-INF/lib/commons-lang3-3.8.1.jar  
Total JAR files extracted in folder "/tmp/test": 3

Then simply execute a scan with the Meterian client: 

$ java -jar ~/meterian-cli.jar --folder=/tmp/test

Meterian Client v0.0.00.0, build 0000
© 2017-2023 Meterian Ltd - All rights reserved

[...]

Java scan - running Ant locally...
- ant: Collecting jars signatures...
- ant: Resolving jars signatures...
Loaded 3/3
- ant: Resolving jars metadata...          
- ant: Ant dependencies generated...
Execution successful!

[...]

Final results: 
- security:	100	(minimum: 90)
- stability:	99	(minimum: 90)
- licensing:	100	(minimum: 90)

Full report available at: 
https://www.meterian.com/projects/?pid=00000000-0000-0000-0000-00000000&branch=head&mode=eli
PreviousJava/Kotlin/ScalaNextJavascript

Last updated