IDEA项目全依赖抽取
# 静态分析
要挖个dubbo的链,想将dubbo-samples项目全部的依赖抽取出来再用codeql跑一下链子
在File → Project Structure → Libraries 下Ctrl+A 复制全部的依赖名
会得到如下1300多个依赖名
我们写个python脚本在本地maven仓库中提取出来即可
注意要先使用maven将项目jar同步到本地!!!
import os
import shutil
from packaging import version
# 假设Maven坐标列表存储在这个文件中
coordinates_file_path = 'E:\codes\python\审计\mvn_list.txt'
# 目标路径,即你想将jar包复制到的地方
destination_path = 'E:\codes\python\审计\mvn_lib'
# 本地Maven仓库的路径
maven_repo_base_path = 'C:/Users/21137/.m2/repository/'
def maven_coordinate_to_path(coordinate):
"""Convert Maven coordinate to file system path."""
parts = coordinate.strip().split(":")
return os.path.join(maven_repo_base_path, parts[0].replace('.', '/'), parts[1], parts[2])
def find_jar_files(path):
"""Find all JAR files in a given directory."""
if not os.path.exists(path):
print(f"Path does not exist: {path}")
return []
return [os.path.join(path, f) for f in os.listdir(path) if f.endswith('.jar')]
def copy_jar_files(jar_files):
"""Copy JAR files to the specified destination."""
for jar_file in jar_files:
dest_file = os.path.join(destination_path, os.path.basename(jar_file))
shutil.copy2(jar_file, dest_file)
print(f"Copied '{jar_file}' to '{dest_file}'")
def read_coordinates_from_file(file_path):
"""Read Maven coordinates from a file."""
with open(file_path, 'r') as file:
return file.readlines()
def main():
coordinates = read_coordinates_from_file(coordinates_file_path)
for coordinate in coordinates:
path = maven_coordinate_to_path(coordinate)
jar_files = find_jar_files(path)
if jar_files:
copy_jar_files(jar_files)
else:
print(f"No JAR files found for {coordinate.strip()}")
if __name__ == "__main__":
main()
配置好目录运行即可
下面给出去重版代码,只保留最高版本的jar,不保证准确性:
import os
import shutil
# 使用原始字符串避免转义序列警告
coordinates_file_path = r'E:\codes\python\审计\mvn_list.txt'
destination_path = r'E:\codes\python\审计\mvn_lib'
maven_repo_base_path = r'C:\Users\21137\.m2\repository\\'
def maven_coordinate_to_path(coordinate):
"""Convert Maven coordinate to file system path."""
parts = coordinate.strip().split(":")
return os.path.join(maven_repo_base_path, parts[0].replace('.', '/'), parts[1], '/'.join(parts[2:]))
def find_jar_files(path):
"""Find all JAR files in a given directory."""
if not os.path.exists(path):
print(f"Path does not exist: {path}")
return []
return [os.path.join(path, f) for f in os.listdir(path) if f.endswith('.jar')]
def copy_jar_files(jar_files):
"""Copy JAR files to the specified destination."""
for jar_file in jar_files:
dest_file = os.path.join(destination_path, os.path.basename(jar_file))
shutil.copy2(jar_file, dest_file)
print(f"Copied '{jar_file}' to '{dest_file}'")
def read_coordinates_from_file(file_path):
"""Read Maven coordinates from a file and keep only the latest version of each artifact."""
latest_versions = {}
with open(file_path, 'r') as file:
for line in file:
parts = line.strip().split(":")
# 确保正确处理包含额外冒号的版本号
group_id, artifact_id, ver = parts[0], parts[1], ':'.join(parts[2:])
key = (group_id, artifact_id)
if key not in latest_versions or ver > latest_versions[key].split(":")[2]:
latest_versions[key] = line.strip()
return list(latest_versions.values())
def main():
coordinates = read_coordinates_from_file(coordinates_file_path)
for coordinate in coordinates:
path = maven_coordinate_to_path(coordinate)
jar_files = find_jar_files(path)
if jar_files:
copy_jar_files(jar_files)
else:
print(f"No JAR files found for {coordinate.strip()}")
if __name__ == "__main__":
main()