How to inspect a pom.properties that is in JAR file

esmith55 2023-09-14 18:14:56 UTC #1

Is there a way to inspect a “pom.properties” file that is in a JAR file?
In my case the JAR file is fusionreactor.jar which has the following structure
com.intergral.fusionreactor.resources\tracingclasses\META-INF\maven\com.intergral.fusionreactor\fr-tracing-classes\ in there is were the pom.properties file is located. That file which is a text file it’s just has a line in it which has

version=10.0.2

Thanks for any hints

JasonWalker 2023-09-15 00:27:03 UTC #2

You won’t be able to inspect the file directly, unless you first extract it from the .jar archive. For that you’d need to run an Action.

This does seem similar to a use-case I’ve been refining in light of the Log4J, Spring Boot, and Grails vulnerabilities that have come up over the last few years.

I have a task at https://bigfix.me/fixlet/details/26943 that may be useful as an example of downloading the unzip exe utility and using it to extract files from a JAR archive. If your JAR is in a known path that’s a bit easier, this task was to scan all local drives to locate the jar archives.

Once you’ve extracted the properties file to a temp path, you could use a relevance substitution to read the version from the file, and apply it as a client setting, or have a separate analysis read the extracted properties file.