Automated Risk Monitoring and Upgrade of Jar Components at Qunar

Background – Repeated high‑severity vulnerabilities in third‑party Jar libraries such as Xstream, Jackson, and Fastjson forced Qunar’s security team to coordinate massive upgrade efforts across hundreds of services, creating a heavy operational burden for both security and development teams.

Process Overview – The risk monitoring and upgrade workflow is driven by intelligence from external security advisories and consists of four main stages: security advisory monitoring, Jar asset collection, automated remediation orchestration via SOAR, and the TCDEV auto‑upgrade service.

Technical Implementation

1. Security Advisory Monitoring – An internal “Security Vulnerability Intelligence System” aggregates CVE, CNVD, and vendor alerts, de‑duplicates them, fetches PoCs, and fuzzy‑matches advisory data against the Jar asset database (SecDB). Matched assets trigger IM alerts for security operators.

2. Jar Asset Collection – Using HIDS agents, a plugin extracts catalina.base processes, resolves catalina.home and catalina.base paths, parses server.xml for and , locates WEB-INF/lib , and reads each Jar’s pom.properties to obtain version, groupId, and artifactId. Sample shell snippets:

items=$(ps aux | grep catalina.base | grep -v grep)

catalina_home=$(echo "$item" | tr ' ' '\n' | grep catalina.home | cut -d= -f2 | sort | uniq)

catalina_base=$(echo "$item" | tr ' ' '\n' | grep catalina.base | cut -d= -f2 | sort | uniq)

jar_version=$(echo "$pom_properties" | grep -m 1 -E '^version=' | awk -F'=' '{print $NF}' | tr -d '\n\r')

3. SOAR Orchestration – Built on StackStorm, the SOAR engine links security tools and services via Python/YAML playbooks. After an advisory triggers an alert, operators decide whether to start the upgrade flow, which then automatically generates an affected‑asset list, enriches it with Appcode, Owner, and technical TL information via Portal APIs, and hands the list to TCDEV for automated upgrades.

4. TCDEV Auto‑Upgrade Service – TCDEV 4.x can fully automate upgrades for ~50% of applications, provide a one‑click upgrade option for another ~30%, while the remaining 20% still require manual handling. The service contacts owners, executes upgrades, and reports results.

Summary – Qunar’s integrated solution combines real‑time advisory monitoring, comprehensive Jar asset inventory, SOAR‑driven workflow automation, and the TCDEV auto‑upgrade platform to dramatically reduce manual effort, improve response speed, and lower the risk exposure of third‑party Java libraries.