Skip to content
This repository was archived by the owner on Aug 18, 2022. It is now read-only.

Commit f2a5edc

Browse files
adityasharadadityasharad
authored
Merge pull request #2 from github/adityasharad/struts-download-link
Java: Add link to prebuilt Struts databases
2 parents 05f499d + fa2255c commit f2a5edc

File tree

1 file changed

+13
-3
lines changed

1 file changed

+13
-3
lines changed

java/unsafe-deserialization-apache-struts.md

+13-3
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,9 @@ Short link for this summary: <https://git.io/JfkGY>
1818

1919
Blog describing the problem: <https://securitylab.github.com/research/apache-struts-CVE-2018-11776>
2020

21-
A clone of the original struts repository with the vulnerability: <https://github.com/github/codeql-demo-struts-CVE-2017-9805>
21+
Clone of the original Struts repository with the vulnerability:
22+
- External: <https://lgtm.com/projects/g/mmosemmle/struts_9805>
23+
- Internal: <https://github.com/github/codeql-demo-struts-CVE-2017-9805>
2224

2325
codeql cli reference: <https://help.semmle.com/codeql/codeql-cli/procedures/create-codeql-database.html>
2426

@@ -42,7 +44,15 @@ To run CodeQL queries offline, follow these steps:
4244

4345
<a id="orge8c9e69"></a>
4446

45-
## Creating the database from a project
47+
## Obtaining a database of the vulnerable code
48+
49+
There are two options here: you can obtain a pre-built database from downloads.lgtm.com or lgtm.com, or you can build your own with the CodeQL CLI.
50+
51+
### Downloading a pre-built database
52+
- Download and unzip the database at https://downloads.lgtm.com/snapshots/java/apache/struts/apache-struts-91ae344-CVE-2017-9805.zip OR
53+
- Log in to LGTM.com, go to https://lgtm.com/projects/g/m-y-mo/struts_9805/ci, scroll down to **CodeQL databases for local analysis**, and click to download the latest database for Java.
54+
55+
### Creating a database with the CodeQL CLI
4656

4757
The setup procedure using the `/bin/bash` shell, with one deviation from the reference manual: using `mvn clean compile` instead of `mvn clean install`.
4858

@@ -90,7 +100,7 @@ codeql database create --language=java --command='mvn clean compile' \
90100
In VS Code,
91101

92102
- open vscode-codeql-starter workspace
93-
- add the mh\_struts\_db\_1 database
103+
- add the unzipped Struts database you downloaded or created
94104
- open `codeql-custom-queries-java/example.ql` and run `> codeql: run query` to test.
95105
- save this file to `unsafe-deserialization.ql` for the rest of this demo
96106

0 commit comments

Comments
 (0)