retanoj
11
CHANGES
11
CHANGES
@@ -2,6 +2,17 @@ Changelog
|
||||
|
||||
=========
|
||||
|
||||
Version 1.0.8
|
||||
|
||||
- feature dump dependencies tree to file include / exclude scan result
|
||||
- upgrade upgrade org.apache.httpcomponents:httpclient to 4.5.13
|
||||
|
||||
Version 1.0.7
|
||||
|
||||
- bugfix NPE on outputDepToFile
|
||||
- feature only analyze mode
|
||||
- feature dump dependencies tree to file
|
||||
|
||||
Version 1.0.6
|
||||
|
||||
- feature change simple-json to gson
|
||||
|
||||
@@ -93,7 +93,7 @@ Maven >= 3.1
|
||||
<plugin>
|
||||
<groupId>com.immomo.momosec</groupId>
|
||||
<artifactId>mosec-maven-plugin</artifactId>
|
||||
<version>1.0.7</version>
|
||||
<version>1.0.8</version>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>test</id>
|
||||
@@ -144,7 +144,7 @@ mosec:test
|
||||
User property: onlyProvenance
|
||||
|
||||
outputDepToFile (Default: )
|
||||
输出依赖树到文件
|
||||
输出依赖树到文件,如果用户设置了onlyAnalyze=true则仅输出依赖树,否则输出依赖树以及漏洞检查结果
|
||||
User property: outputDepToFile
|
||||
|
||||
severityLevel (Default: High)
|
||||
@@ -193,7 +193,7 @@ MOSEC-MAVEN-PLUGIN使用`org.apache.maven:maven-core`组件中提供的`aether-a
|
||||
4.在另一个maven工程中执行如下命令
|
||||
|
||||
```shell script
|
||||
> mvnDebug com.immomo.momosec:mosec-maven-plugin:1.0.7:test
|
||||
> mvnDebug com.immomo.momosec:mosec-maven-plugin:1.0.8:test
|
||||
```
|
||||
|
||||
5.回到Intellij中,下断点,开始Debug
|
||||
5.回到Intellij中,下断点,开始Debug
|
||||
|
||||
Binary file not shown.
@@ -0,0 +1 @@
|
||||
eaab7df555e60240e4fa10a6009c8397
|
||||
@@ -0,0 +1 @@
|
||||
a498dbf4f6979fb752d846d6321b2967a0997bf7
|
||||
@@ -0,0 +1,124 @@
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
|
||||
<prerequisites>
|
||||
<maven>3.1.0</maven>
|
||||
</prerequisites>
|
||||
|
||||
<groupId>com.immomo.momosec</groupId>
|
||||
<artifactId>mosec-maven-plugin</artifactId>
|
||||
<version>1.0.8</version>
|
||||
<packaging>maven-plugin</packaging>
|
||||
|
||||
<name>Mosec Maven Plugin</name>
|
||||
<description>用于检测Maven项目的第三方依赖组件是否存在安全漏洞</description>
|
||||
|
||||
<developers>
|
||||
<developer>
|
||||
<name>retanoj</name>
|
||||
<email>mmsrc@immomo.com</email>
|
||||
</developer>
|
||||
</developers>
|
||||
|
||||
<properties>
|
||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||
<mavenVersion>3.3.9</mavenVersion>
|
||||
</properties>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven</groupId>
|
||||
<artifactId>maven-core</artifactId>
|
||||
<version>${mavenVersion}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven.plugin-tools</groupId>
|
||||
<artifactId>maven-plugin-annotations</artifactId>
|
||||
<version>3.2</version>
|
||||
<scope>provided</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>com.google.code.gson</groupId>
|
||||
<artifactId>gson</artifactId>
|
||||
<version>2.8.5</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.httpcomponents</groupId>
|
||||
<artifactId>httpclient</artifactId>
|
||||
<version>4.5.13</version>
|
||||
</dependency>
|
||||
|
||||
|
||||
<dependency>
|
||||
<groupId>org.apache.maven.plugin-testing</groupId>
|
||||
<artifactId>maven-plugin-testing-harness</artifactId>
|
||||
<version>3.3.0</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>junit</groupId>
|
||||
<artifactId>junit</artifactId>
|
||||
<version>4.13</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.mockito</groupId>
|
||||
<artifactId>mockito-core</artifactId>
|
||||
<version>2.28.2</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven</groupId>
|
||||
<artifactId>maven-compat</artifactId>
|
||||
<version>3.3.9</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-plugin-plugin</artifactId>
|
||||
<version>3.5</version>
|
||||
<configuration>
|
||||
<goalPrefix>mosec</goalPrefix>
|
||||
<skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound>
|
||||
</configuration>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>mojo-descriptor</id>
|
||||
<goals>
|
||||
<goal>descriptor</goal>
|
||||
</goals>
|
||||
</execution>
|
||||
<execution>
|
||||
<id>help-goal</id>
|
||||
<goals>
|
||||
<goal>helpmojo</goal>
|
||||
</goals>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-compiler-plugin</artifactId>
|
||||
<version>3.6.2</version>
|
||||
<configuration>
|
||||
<source>1.8</source>
|
||||
<target>1.8</target>
|
||||
<compilerArgument>-Xlint</compilerArgument>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
|
||||
<distributionManagement>
|
||||
<repository>
|
||||
<id>internal</id>
|
||||
<url>file://mvn-repo</url>
|
||||
</repository>
|
||||
</distributionManagement>
|
||||
</project>
|
||||
@@ -0,0 +1 @@
|
||||
a6c1f8d0cffbb61f3287950aa4cf1844
|
||||
@@ -0,0 +1 @@
|
||||
085580bdcd35aec853378a0752979b5a94352b5e
|
||||
@@ -3,11 +3,12 @@
|
||||
<groupId>com.immomo.momosec</groupId>
|
||||
<artifactId>mosec-maven-plugin</artifactId>
|
||||
<versioning>
|
||||
<latest>1.0.7</latest>
|
||||
<release>1.0.7</release>
|
||||
<latest>1.0.8</latest>
|
||||
<release>1.0.8</release>
|
||||
<versions>
|
||||
<version>1.0.7</version>
|
||||
<version>1.0.8</version>
|
||||
</versions>
|
||||
<lastUpdated>20210603114400</lastUpdated>
|
||||
<lastUpdated>20210621033628</lastUpdated>
|
||||
</versioning>
|
||||
</metadata>
|
||||
|
||||
@@ -1 +1 @@
|
||||
9a19947fd891260a434b54caab6706ea
|
||||
95c17d487c921627a9b97445e2a00f47
|
||||
@@ -1 +1 @@
|
||||
7229e831d912dcebec125e09a6fd9dee76fea894
|
||||
4f2ce91855db9e696891caa64a322b381bef5894
|
||||
4
pom.xml
4
pom.xml
@@ -8,7 +8,7 @@
|
||||
|
||||
<groupId>com.immomo.momosec</groupId>
|
||||
<artifactId>mosec-maven-plugin</artifactId>
|
||||
<version>1.0.7</version>
|
||||
<version>1.0.8</version>
|
||||
<packaging>maven-plugin</packaging>
|
||||
|
||||
<name>Mosec Maven Plugin</name>
|
||||
@@ -46,7 +46,7 @@
|
||||
<dependency>
|
||||
<groupId>org.apache.httpcomponents</groupId>
|
||||
<artifactId>httpclient</artifactId>
|
||||
<version>4.5.10</version>
|
||||
<version>4.5.13</version>
|
||||
</dependency>
|
||||
|
||||
|
||||
|
||||
@@ -34,6 +34,8 @@ import org.eclipse.aether.RepositorySystemSession;
|
||||
import org.eclipse.aether.collection.DependencyCollectionException;
|
||||
import org.eclipse.aether.repository.RemoteRepository;
|
||||
|
||||
import java.io.BufferedReader;
|
||||
import java.io.InputStreamReader;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
@@ -97,7 +99,7 @@ public class MosecTest extends AbstractMojo {
|
||||
private String outputDepToFile;
|
||||
|
||||
/**
|
||||
* 仅分析依赖,不上报
|
||||
* 仅分析依赖,不进行漏洞检查
|
||||
*/
|
||||
@Parameter(property = "onlyAnalyze", defaultValue = "false")
|
||||
private Boolean onlyAnalyze;
|
||||
@@ -146,11 +148,11 @@ public class MosecTest extends AbstractMojo {
|
||||
projectTree.addProperty("severityLevel", severityLevel);
|
||||
String jsonDepTree = new GsonBuilder().setPrettyPrinting().create().toJson(projectTree);
|
||||
getLog().debug(jsonDepTree);
|
||||
if (outputDepToFile != null && !"".equals(outputDepToFile)) {
|
||||
writeToFile(outputDepToFile, jsonDepTree);
|
||||
}
|
||||
|
||||
if (Boolean.TRUE.equals(onlyAnalyze)) {
|
||||
if (!"".equals(outputDepToFile) && outputDepToFile != null) {
|
||||
writeToFile(outputDepToFile, jsonDepTree);
|
||||
}
|
||||
getLog().info("onlyAnalyze mode, Done.");
|
||||
return;
|
||||
}
|
||||
@@ -168,8 +170,18 @@ public class MosecTest extends AbstractMojo {
|
||||
throw new NetworkErrorException(response.getStatusLine().getReasonPhrase());
|
||||
}
|
||||
|
||||
JsonParser parser = new JsonParser();
|
||||
JsonObject responseJson;
|
||||
try {
|
||||
responseJson = parser.parse(new BufferedReader(new InputStreamReader(response.getEntity().getContent()))).getAsJsonObject();
|
||||
} catch (JsonParseException | IllegalStateException e) {
|
||||
throw new NetworkErrorException(Constants.ERROR_ON_API);
|
||||
}
|
||||
if (!"".equals(outputDepToFile) && outputDepToFile != null) {
|
||||
writeToFile(outputDepToFile, jsonDepTree, responseJson);
|
||||
}
|
||||
Renderer renderer = new Renderer(getLog(), failOnVuln);
|
||||
renderer.renderResponse(response.getEntity().getContent());
|
||||
renderer.renderResponse(responseJson);
|
||||
|
||||
} catch (DependencyCollectionException e) {
|
||||
throw new MojoFailureException(e.getMessage());
|
||||
|
||||
@@ -34,15 +34,7 @@ public class Renderer {
|
||||
this.failOnVuln = failOnVuln;
|
||||
}
|
||||
|
||||
public void renderResponse(InputStream in) throws NetworkErrorException, FoundVulnerableException {
|
||||
JsonParser parser = new JsonParser();
|
||||
JsonObject responseJson;
|
||||
try {
|
||||
responseJson = parser.parse(new BufferedReader(new InputStreamReader(in))).getAsJsonObject();
|
||||
} catch (JsonParseException | IllegalStateException e) {
|
||||
throw new NetworkErrorException(Constants.ERROR_ON_API);
|
||||
}
|
||||
|
||||
public void renderResponse(JsonObject responseJson) throws NetworkErrorException, FoundVulnerableException {
|
||||
if(responseJson.get("ok") != null && responseJson.get("ok").getAsBoolean()) {
|
||||
String ok = "✓ Tested %s dependencies, no vulnerable found.";
|
||||
getLog().info(logHelper.strongInfo(String.format(ok, responseJson.get("dependencyCount").getAsString())));
|
||||
@@ -100,4 +92,22 @@ public class Renderer {
|
||||
outputStream.write(jsonTree.getBytes());
|
||||
outputStream.close();
|
||||
}
|
||||
|
||||
public static void writeToFile(String filename, String jsonTree, JsonObject responseJson) throws IOException, NetworkErrorException {
|
||||
File file = new File(filename);
|
||||
JsonParser parser = new JsonParser();
|
||||
JsonObject result = parser.parse(jsonTree).getAsJsonObject();
|
||||
result.add("ok", responseJson.get("ok"));
|
||||
result.add("dependencyCount", responseJson.get("dependencyCount"));
|
||||
result.add("vulnerabilities", responseJson.get("vulnerabilities"));
|
||||
if (!file.exists()) {
|
||||
File dir = new File(file.getAbsoluteFile().getParent());
|
||||
dir.mkdirs();
|
||||
file.createNewFile();
|
||||
}
|
||||
String jsonResult = new GsonBuilder().setPrettyPrinting().create().toJson(result);
|
||||
FileOutputStream outputStream = new FileOutputStream(file);
|
||||
outputStream.write(jsonResult.getBytes());
|
||||
outputStream.close();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -15,6 +15,7 @@
|
||||
*/
|
||||
package com.immomo.momosec.maven.plugins;
|
||||
|
||||
import com.google.gson.JsonParser;
|
||||
import com.immomo.momosec.maven.plugins.exceptions.FoundVulnerableException;
|
||||
import com.immomo.momosec.maven.plugins.exceptions.NetworkErrorException;
|
||||
import org.apache.maven.monitor.logging.DefaultLog;
|
||||
@@ -45,7 +46,8 @@ public class TestRenderer {
|
||||
private final String no_vulnerable_response =
|
||||
"{" +
|
||||
" \"ok\": true," +
|
||||
" \"dependencyCount\": 3" +
|
||||
" \"dependencyCount\": 3," +
|
||||
" \"vulnerabilities\": []" +
|
||||
"}";
|
||||
|
||||
private final String vulnerable_response =
|
||||
@@ -74,20 +76,11 @@ public class TestRenderer {
|
||||
System.setErr(originalErr);
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void renderResponseTest_ErrorJson() throws Exception {
|
||||
exceptionRule.expect(NetworkErrorException.class);
|
||||
exceptionRule.expectMessage(Constants.ERROR_ON_API);
|
||||
|
||||
Renderer renderer = new Renderer(log, true);
|
||||
renderer.renderResponse(new ByteArrayInputStream("_".getBytes()));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void renderResponseTest_NotFoundVuln() throws Exception {
|
||||
Renderer renderer = new Renderer(log, true);
|
||||
renderer.renderResponse(new ByteArrayInputStream(no_vulnerable_response.getBytes()));
|
||||
JsonParser parser = new JsonParser();
|
||||
renderer.renderResponse(parser.parse(no_vulnerable_response).getAsJsonObject());
|
||||
|
||||
String expect = "[INFO] " + logHelper.strongInfo("✓ Tested 3 dependencies, no vulnerable found.") + "\n";
|
||||
Assert.assertEquals(expect, outContent.toString());
|
||||
@@ -99,13 +92,15 @@ public class TestRenderer {
|
||||
exceptionRule.expectMessage(Constants.ERROR_ON_VULNERABLE);
|
||||
|
||||
Renderer renderer = new Renderer(log, true);
|
||||
renderer.renderResponse(new ByteArrayInputStream(vulnerable_response.getBytes()));
|
||||
JsonParser parser = new JsonParser();
|
||||
renderer.renderResponse(parser.parse(vulnerable_response).getAsJsonObject());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void renderResponseTest_FoundVulnWithoutFailOnVuln() throws Exception {
|
||||
Renderer renderer = new Renderer(log, false);
|
||||
renderer.renderResponse(new ByteArrayInputStream(vulnerable_response.getBytes()));
|
||||
JsonParser parser = new JsonParser();
|
||||
renderer.renderResponse(parser.parse(vulnerable_response).getAsJsonObject());
|
||||
|
||||
String expect =
|
||||
"[WARNING] " + logHelper.strongError("✗ High severity (Fake Vulnerable - CVE-0001-0001) found on com.study.foo:bar@1.0.0") + "\n" +
|
||||
|
||||
Reference in New Issue
Block a user