Scanning EAR or WAR files
How to use Meterian to scan EAR or WAR files
The Meterian scanner can be used to scan EAR or WAR files when those contain jar files. In order to do that, however, the files must be unpacked in a folder so that, later, the Meterian Client can be used to execute a binary scan against that.
In order to do this consistently, Meterian provides a simple supporting script, ant-unpack.sh, that given an EAR or a WAR file, it will extract all jars contained in the archive ti a folder specified by the user (or the current folder if not specified). At that point, the Meterian Client can be used to execute a scan of the components. The script will also provide a dummy build.xml file to trigger the Ant plugin of the scanner, which will the identify the JARs using binary/signature detection.
Note that some of those jar files may be legacy versions, so the system may take some time to resolve them. This is absolutely normal, and it happens only the first time, as later their information will be stored on the Meterian SAAS servers. If, under these conditions, the client times out, you can always relaunch it.
Usage example
First expand the war file in directory:
$ ~/ant-unpack.sh ./target/cargo-tracker.war /tmp/test
Archive: ./target/cargo-tracker.war
inflating: /tmp/test/WEB-INF/lib/h2-2.2.220.jar
inflating: /tmp/test/WEB-INF/lib/primefaces-12.0.0-jakarta.jar
inflating: /tmp/test/WEB-INF/lib/commons-lang3-3.8.1.jar
Total JAR files extracted in folder "/tmp/test": 3
Then simply execute a scan with the Meterian client:
$ java -jar ~/meterian-cli.jar --folder=/tmp/test
Meterian Client v0.0.00.0, build 0000
© 2017-2023 Meterian Ltd - All rights reserved
[...]
Java scan - running Ant locally...
- ant: Collecting jars signatures...
- ant: Resolving jars signatures...
Loaded 3/3
- ant: Resolving jars metadata...
- ant: Ant dependencies generated...
Execution successful!
[...]
Final results:
- security: 100 (minimum: 90)
- stability: 99 (minimum: 90)
- licensing: 100 (minimum: 90)
Full report available at:
https://www.meterian.com/projects/?pid=00000000-0000-0000-0000-00000000&branch=head&mode=eli
Last updated
Was this helpful?