发现所有具有 Java 依赖性的已安装 R 包(出于安全原因)
Discover all installed R packages with a Java dependency (for security reasons)
出于安全原因,我不得不在我使用 R 的机器上卸载 Java (JRE)。
我如何(轻松 :-) 发现所有使用 Java 的已安装软件包?
编辑 14.12.2021: log4j-log4shell-cve-2021-44228-漏洞使这个问题(和答案)更加有趣;-)
您可以使用 installed.packages 来确定哪些包导入 rJava 包。您需要告诉 installed.packages 包含包描述中的 Imports 字段,然后检查哪些包导入 rJava.
LIBS = installed.packages(fields=c("Imports"))
JPacks = grep("Java", LIBS[,"Imports"], ignore.case=TRUE)
LIBS[JPacks, c("Package", "Imports")]
Package
RWeka "RWeka"
RWekajars "RWekajars"
Imports
RWeka "RWekajars (>= 3.9.0), rJava (>= 0.6-3), graphics, stats,\nutils, grid"
RWekajars "rJava (>= 0.6-3)"
我还考虑了 rJAva 包中的其他类型的依赖项,从而扩展了@GSW 答案的解决方案:
libs = installed.packages()
imports = grep("Java", libs[,"Imports"], ignore.case=TRUE)
depends = grep("Java", libs[,"Depends"], ignore.case=TRUE)
linking.to = grep("Java", libs[,"LinkingTo"], ignore.case=TRUE)
enhances = grep("Java", libs[,"Enhances"], ignore.case=TRUE)
# SystemRequirements may also contain Java dependencies but is not available in the matrix
libs[c(imports, depends, linking.to, enhances),
c("Package", "Imports", "Depends", "LinkingTo", "Enhances")]
这现在也可以找到例如。 xlsx:
Package Imports Depends LinkingTo Enhances
xlsx "xlsx" NA "rJava, xlsxjars" NA NA
xlsxjars "xlsxjars" NA "rJava" NA NA
2021 年 12 月 21 日编辑: 如果您想查找直接依赖于 JAVA 的所有 CRAN 包(不仅是已安装的包)(例如,由于log4j 漏洞)你可以使用:
# Dependencies external to the R system should be listed in the `SystemRequirements` field of the package's DESCRIPTION file.
# This also holds true until the package uses Java via the rJava package where the `Imports` or `Depends` declaration suffices:
# https://cran.r-project.org/doc/manuals/R-exts.html#Non_002dR-scripts-in-packages
CRAN.pkgs <- tools::CRAN_package_db() # gets a list of all R packages at CRAN
imports = grepl("Java", CRAN.pkgs$Imports, ignore.case = TRUE)
depends = grepl("Java", CRAN.pkgs$Depends, ignore.case = TRUE)
linking.to = grepl("Java", CRAN.pkgs$LinkingTo, ignore.case = TRUE)
enhances = grepl("Java", CRAN.pkgs$Enhances, ignore.case = TRUE)
sysreq = grepl("Java", CRAN.pkgs$SystemRequirements, ignore.case = TRUE)
CRAN.java.pkgs <- CRAN.pkgs[imports | depends | linking.to | enhances | sysreq,
c("Package", "Imports", "Depends", "LinkingTo", "Enhances", "SystemRequirements")]
NROW(CRAN.pkgs) # more than 18.000 in 12/2021
NROW(CRAN.java.pkgs) # 137 in 12/2021
CRAN.java.pkgs$Package # show all packages found
出于安全原因,我不得不在我使用 R 的机器上卸载 Java (JRE)。
我如何(轻松 :-) 发现所有使用 Java 的已安装软件包?
编辑 14.12.2021: log4j-log4shell-cve-2021-44228-漏洞使这个问题(和答案)更加有趣;-)
您可以使用 installed.packages 来确定哪些包导入 rJava 包。您需要告诉 installed.packages 包含包描述中的 Imports 字段,然后检查哪些包导入 rJava.
LIBS = installed.packages(fields=c("Imports"))
JPacks = grep("Java", LIBS[,"Imports"], ignore.case=TRUE)
LIBS[JPacks, c("Package", "Imports")]
Package
RWeka "RWeka"
RWekajars "RWekajars"
Imports
RWeka "RWekajars (>= 3.9.0), rJava (>= 0.6-3), graphics, stats,\nutils, grid"
RWekajars "rJava (>= 0.6-3)"
我还考虑了 rJAva 包中的其他类型的依赖项,从而扩展了@GSW 答案的解决方案:
libs = installed.packages()
imports = grep("Java", libs[,"Imports"], ignore.case=TRUE)
depends = grep("Java", libs[,"Depends"], ignore.case=TRUE)
linking.to = grep("Java", libs[,"LinkingTo"], ignore.case=TRUE)
enhances = grep("Java", libs[,"Enhances"], ignore.case=TRUE)
# SystemRequirements may also contain Java dependencies but is not available in the matrix
libs[c(imports, depends, linking.to, enhances),
c("Package", "Imports", "Depends", "LinkingTo", "Enhances")]
这现在也可以找到例如。 xlsx:
Package Imports Depends LinkingTo Enhances
xlsx "xlsx" NA "rJava, xlsxjars" NA NA
xlsxjars "xlsxjars" NA "rJava" NA NA
2021 年 12 月 21 日编辑: 如果您想查找直接依赖于 JAVA 的所有 CRAN 包(不仅是已安装的包)(例如,由于log4j 漏洞)你可以使用:
# Dependencies external to the R system should be listed in the `SystemRequirements` field of the package's DESCRIPTION file.
# This also holds true until the package uses Java via the rJava package where the `Imports` or `Depends` declaration suffices:
# https://cran.r-project.org/doc/manuals/R-exts.html#Non_002dR-scripts-in-packages
CRAN.pkgs <- tools::CRAN_package_db() # gets a list of all R packages at CRAN
imports = grepl("Java", CRAN.pkgs$Imports, ignore.case = TRUE)
depends = grepl("Java", CRAN.pkgs$Depends, ignore.case = TRUE)
linking.to = grepl("Java", CRAN.pkgs$LinkingTo, ignore.case = TRUE)
enhances = grepl("Java", CRAN.pkgs$Enhances, ignore.case = TRUE)
sysreq = grepl("Java", CRAN.pkgs$SystemRequirements, ignore.case = TRUE)
CRAN.java.pkgs <- CRAN.pkgs[imports | depends | linking.to | enhances | sysreq,
c("Package", "Imports", "Depends", "LinkingTo", "Enhances", "SystemRequirements")]
NROW(CRAN.pkgs) # more than 18.000 in 12/2021
NROW(CRAN.java.pkgs) # 137 in 12/2021
CRAN.java.pkgs$Package # show all packages found