Replies: 1 comment 1 reply
-
|
同样的问题。生成的表似乎不全。少了几个csv关键表 。我用的是最新版本 jdk用的17,tabby最新版。你问题解决没? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
我的已经解决了,我用tabby生成出来的表是全的,我当时是tabby-vul-finder工具的问题,当时我是直接下其分发版,正确做法应该是将其克隆下来再按部就班地进行操作 |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
师傅你好,我让tabby审计的是maven仓库里面cc漏洞版本,并且javaHome版本改为了8u65
tabby成功Done bye了之后在dev目录下面也生成了几个csv文件
后续我用tabby-vul-finder工具将csv文件上传上去,也成功done bye了,过程中没任何报错
然后我就登录了neo4j的网页端执行cc2的命令查询:match (m1:Method {SIGNATURE:"<java.util.PriorityQueue: void readObject(java.io.ObjectInputStream)>"})-[:CALL ]->(m2:Method {NAME:"heapify"})-[:CALL ]->(m3)-[:CALL]->(m4:Method {NAME:"siftDownUsingComparator"})-[:CALL]->(m5)-[:ALIAS*]-(m6 {SIGNATURE:"<org.apache.commons.collections.comparators.TransformingComparator: int compare(java.lang.Object,java.lang.Object)>"})-[:CALL]->(m7)-[:ALIAS*]-(m8:Method)-[:CALL]->(m9:Method {IS_SINK:true}) return *
结果确实没有查出任何东西来,但是按道理cc漏洞版本的jar文件应该是会有cc2链子的查询结果
命令:match (m:Method) where m.NAME='readObject' return m.CLASSNAME,m可以查出东西来
想问问师傅这样子的话问题是出在了哪里
Beta Was this translation helpful? Give feedback.
All reactions