momosecurity/mosec-maven-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: momosecurity:a71101ff16a87e336e91d51e959627d9ef770e0d
Branches Tags
momosecurity:master
...
compare: momosecurity:8be2bc7765759b2bf13f6dec5de45cb21b2ed66a
Branches Tags
momosecurity:master

10 Commits
a71101ff16 ... 8be2bc7765

Author SHA1 Message Date
retanoj
8be2bc7765 version 1.0.10 repo file
Some checks failed
Maven Test / run_tests (push) Has been cancelled
Details
2022-04-12 10:36:20 +08:00
retanoj
6c4fbfca8c README 2022-04-12 10:35:03 +08:00
retanoj
f6643116f5 version 1.0.10 2022-04-11 17:53:01 +08:00
retanoj
fca4bb98cf README 2022-04-11 14:15:39 +08:00
retanoj
2f1d4103d6 README 2022-04-08 18:46:36 +08:00
retanoj
2a27960ab7 version 1.0.9 2022-04-08 18:07:37 +08:00
retanoj
acabffa992 fix dump file 2022-04-08 17:58:49 +08:00
retanoj
d4b0bca5a1 severityLevel to severity 2021-12-01 17:06:41 +08:00
retanoj
e3ebf6b0e3 Merge pull request #4 from retanoj/master 
github action test
 2021-06-21 13:02:44 +08:00
retanoj
7d5e77f547 github action test 2021-06-21 12:57:38 +08:00
34 changed files with 904 additions and 38 deletions
Expand all files Collapse all files

15
.github/workflows/github-actions-test.yml vendored Normal file
View File

@@ -0,0 +1,15 @@
name: Maven Test
on: [push]
jobs:
run_tests:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set up JDK 11
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
- name: Run tests with Maen
run: mvn -B test

10
CHANGES
View File

@@ -2,6 +2,16 @@ Changelog
=========
Version 1.0.10
- feature Add "result" to dump file after inspect
Version 1.0.9
- feature Add parent and modules fields to dump file
- feature `-DonlyAnalyze` allow not have `endpoint`
- bugfix Fix `-DoutputDepToFile` only dump last module dependencies bug
Version 1.0.8
- feature dump dependencies tree to file include / exclude scan result

7
README.md
View File

@@ -76,12 +76,13 @@ Maven >= 3.1
> MOSEC_ENDPOINT=http://127.0.0.1:9000/api/plugin \
mvn com.immomo.momosec:mosec-maven-plugin:1.0.7:test \
-DonlyProvenance=true
-DonlyProvenance=true \
-Dseverity=High
// 或简化方式
> MOSEC_ENDPOINT=http://127.0.0.1:9000/api/plugin \
mvn mosec:test -DonlyProvenance=true
mvn mosec:test -DonlyProvenance=true -Dseverity=High
```
#### 项目中使用
@@ -144,7 +145,7 @@ mosec:test
User property: onlyProvenance
outputDepToFile (Default: )
输出依赖树到文件,如果用户设置了onlyAnalyze=true仅输出依赖树,否则输出依赖树及漏洞检查结果
输出依赖树到文件。设置-DonlyAnalyze=true仅输出依赖树否则输出依赖树及漏洞检查结果
User property: outputDepToFile
severityLevel (Default: High)

BIN
mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.jar Normal file
View File

Binary file not shown.

1
mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.jar.md5 Normal file
View File

@@ -0,0 +1 @@
37a4ba5984e49a3e3d223b1cc4e4155c

1
mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.jar.sha1 Normal file
View File

@@ -0,0 +1 @@
46bc283f96e383b3f49dc497f4dae97156b4311a

134
mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.pom Normal file
View File

@@ -0,0 +1,134 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<prerequisites>
<maven>3.1.0</maven>
</prerequisites>
<groupId>com.immomo.momosec</groupId>
<artifactId>mosec-maven-plugin</artifactId>
<version>1.0.10</version>
<packaging>maven-plugin</packaging>
<name>Mosec Maven Plugin</name>
<description>用于检测Maven项目的第三方依赖组件是否存在安全漏洞</description>
<developers>
<developer>
<name>retanoj</name>
<email>mmsrc@immomo.com</email>
</developer>
</developers>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<mavenVersion>3.3.9</mavenVersion>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-core</artifactId>
<version>${mavenVersion}</version>
</dependency>
<dependency>
<groupId>org.apache.maven.plugin-tools</groupId>
<artifactId>maven-plugin-annotations</artifactId>
<version>3.2</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.8.5</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.13</version>
</dependency>
<dependency>
<groupId>org.apache.maven.plugin-testing</groupId>
<artifactId>maven-plugin-testing-harness</artifactId>
<version>3.3.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>2.28.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-api-mockito2</artifactId>
<version>2.0.9</version>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-module-junit4</artifactId>
<version>2.0.9</version>
</dependency>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-compat</artifactId>
<version>3.3.9</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId>
<version>3.5</version>
<configuration>
<goalPrefix>mosec</goalPrefix>
<skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound>
</configuration>
<executions>
<execution>
<id>mojo-descriptor</id>
<goals>
<goal>descriptor</goal>
</goals>
</execution>
<execution>
<id>help-goal</id>
<goals>
<goal>helpmojo</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.6.2</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
<compilerArgument>-Xlint</compilerArgument>
</configuration>
</plugin>
</plugins>
</build>
<distributionManagement>
<repository>
<id>internal</id>
<url>file://mvn-repo</url>
</repository>
</distributionManagement>
</project>

1
mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.pom.md5 Normal file
View File

@@ -0,0 +1 @@
9bf2b25d67d575d0b4fac08655b4fbfb

1
mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.pom.sha1 Normal file
View File

@@ -0,0 +1 @@
0e8fbe6e1a3b829903f36a9f125b0508a8c2cc6c

BIN
mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.jar Normal file
View File

Binary file not shown.

1
mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.jar.md5 Normal file
View File

@@ -0,0 +1 @@
b2f9266d0f2b2a87e5e177eaecd35543

1
mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.jar.sha1 Normal file
View File

@@ -0,0 +1 @@
5b2151f84cee0197018a567674db051e94dfd334

124
mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.pom Normal file
View File

@@ -0,0 +1,124 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<prerequisites>
<maven>3.1.0</maven>
</prerequisites>
<groupId>com.immomo.momosec</groupId>
<artifactId>mosec-maven-plugin</artifactId>
<version>1.0.9</version>
<packaging>maven-plugin</packaging>
<name>Mosec Maven Plugin</name>
<description>用于检测Maven项目的第三方依赖组件是否存在安全漏洞</description>
<developers>
<developer>
<name>retanoj</name>
<email>mmsrc@immomo.com</email>
</developer>
</developers>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<mavenVersion>3.3.9</mavenVersion>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-core</artifactId>
<version>${mavenVersion}</version>
</dependency>
<dependency>
<groupId>org.apache.maven.plugin-tools</groupId>
<artifactId>maven-plugin-annotations</artifactId>
<version>3.2</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.8.5</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.13</version>
</dependency>
<dependency>
<groupId>org.apache.maven.plugin-testing</groupId>
<artifactId>maven-plugin-testing-harness</artifactId>
<version>3.3.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>2.28.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-compat</artifactId>
<version>3.3.9</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId>
<version>3.5</version>
<configuration>
<goalPrefix>mosec</goalPrefix>
<skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound>
</configuration>
<executions>
<execution>
<id>mojo-descriptor</id>
<goals>
<goal>descriptor</goal>
</goals>
</execution>
<execution>
<id>help-goal</id>
<goals>
<goal>helpmojo</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.6.2</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
<compilerArgument>-Xlint</compilerArgument>
</configuration>
</plugin>
</plugins>
</build>
<distributionManagement>
<repository>
<id>internal</id>
<url>file://mvn-repo</url>
</repository>
</distributionManagement>
</project>

1
mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.pom.md5 Normal file
View File

@@ -0,0 +1 @@
591d374bf6de6cd28897bdbf4360b454

1
mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.pom.sha1 Normal file
View File

@@ -0,0 +1 @@
5f6abdce51651103068ef2004f5661f827e1e94d

8
mvn-repo/com/immomo/momosec/mosec-maven-plugin/maven-metadata.xml
View File

@@ -3,12 +3,14 @@
<groupId>com.immomo.momosec</groupId>
<artifactId>mosec-maven-plugin</artifactId>
<versioning>
<latest>1.0.8</latest>
<release>1.0.8</release>
<latest>1.0.10</latest>
<release>1.0.10</release>
<versions>
<version>1.0.7</version>
<version>1.0.8</version>
<version>1.0.9</version>
<version>1.0.10</version>
</versions>
<lastUpdated>20210621033628</lastUpdated>
<lastUpdated>20220412023537</lastUpdated>
</versioning>
</metadata>

2
mvn-repo/com/immomo/momosec/mosec-maven-plugin/maven-metadata.xml.md5
View File

@@ -1 +1 @@
95c17d487c921627a9b97445e2a00f47
2f7ff63cc756db36bc3059a016d7f99a

2
mvn-repo/com/immomo/momosec/mosec-maven-plugin/maven-metadata.xml.sha1
View File

@@ -1 +1 @@
4f2ce91855db9e696891caa64a322b381bef5894
a347d34be60bccb963f0a9796f9780fac85a6eba

12
pom.xml
View File

@@ -8,7 +8,7 @@
<groupId>com.immomo.momosec</groupId>
<artifactId>mosec-maven-plugin</artifactId>
<version>1.0.8</version>
<version>1.0.10</version>
<packaging>maven-plugin</packaging>
<name>Mosec Maven Plugin</name>
@@ -68,6 +68,16 @@
<version>2.28.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-api-mockito2</artifactId>
<version>2.0.9</version>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-module-junit4</artifactId>
<version>2.0.9</version>
</dependency>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-compat</artifactId>

71
src/main/java/com/immomo/momosec/maven/plugins/MosecTest.java
View File

@@ -23,6 +23,7 @@ import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.StringEntity;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.Component;
import org.apache.maven.plugins.annotations.Mojo;
@@ -37,7 +38,10 @@ import org.eclipse.aether.repository.RemoteRepository;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.TreeSet;
import java.util.stream.Collectors;
import static com.immomo.momosec.maven.plugins.Renderer.writeToFile;
@@ -104,13 +108,16 @@ public class MosecTest extends AbstractMojo {
@Parameter(property = "onlyAnalyze", defaultValue = "false")
private Boolean onlyAnalyze;
public void execute() throws MojoFailureException {
private static List<JsonObject> collectTree = new ArrayList<>();
private static List<String> totalProjectsByGAV = null;
public void execute() throws MojoExecutionException, MojoFailureException {
String env_endpoint = System.getenv(Constants.MOSEC_ENDPOINT_ENV);
if (env_endpoint != null) {
endpoint = env_endpoint;
}
if (endpoint == null) {
if (Boolean.FALSE.equals(onlyAnalyze) && endpoint == null) {
throw new MojoFailureException(Constants.ERROR_ON_NULL_ENDPOINT);
}
@@ -142,20 +149,25 @@ public class MosecTest extends AbstractMojo {
);
collector.collectDependencies();
JsonObject projectTree = collector.getTree();
String jsonDepTree = new GsonBuilder().setPrettyPrinting().create().toJson(projectTree);
getLog().debug(jsonDepTree);
collectTree.add(projectTree.deepCopy());
if (Boolean.TRUE.equals(onlyAnalyze)) {
if (this.isAnalyzeTotalFinished()
&& outputDepToFile != null
&& !"".equals(outputDepToFile)
) {
writeToFile(outputDepToFile, new GsonBuilder().setPrettyPrinting().create().toJson(collectTree));
}
getLog().info("onlyAnalyze mode, Done.");
return;
}
projectTree.addProperty("type", Constants.BUILD_TOOL_TYPE);
projectTree.addProperty("language", Constants.PROJECT_LANGUAGE);
projectTree.addProperty("severityLevel", severityLevel);
String jsonDepTree = new GsonBuilder().setPrettyPrinting().create().toJson(projectTree);
getLog().debug(jsonDepTree);
if (Boolean.TRUE.equals(onlyAnalyze)) {
if (!"".equals(outputDepToFile) && outputDepToFile != null) {
writeToFile(outputDepToFile, jsonDepTree);
}
getLog().info("onlyAnalyze mode, Done.");
return;
}
HttpPost request = new HttpPost(endpoint);
request.addHeader("content-type", Constants.CONTENT_TYPE_JSON);
@@ -174,17 +186,21 @@ public class MosecTest extends AbstractMojo {
JsonObject responseJson;
try {
responseJson = parser.parse(new BufferedReader(new InputStreamReader(response.getEntity().getContent()))).getAsJsonObject();
JsonObject lastTree = collectTree.get(collectTree.size() - 1);
lastTree.add("result", responseJson);
} catch (JsonParseException | IllegalStateException e) {
throw new NetworkErrorException(Constants.ERROR_ON_API);
}
if (!"".equals(outputDepToFile) && outputDepToFile != null) {
writeToFile(outputDepToFile, jsonDepTree, responseJson);
if (outputDepToFile != null && !"".equals(outputDepToFile)) {
writeToFile(outputDepToFile, new GsonBuilder().setPrettyPrinting().create().toJson(collectTree));
}
Renderer renderer = new Renderer(getLog(), failOnVuln);
renderer.renderResponse(responseJson);
} catch (DependencyCollectionException e) {
throw new MojoFailureException(e.getMessage());
throw new MojoFailureException(e.getMessage(), e.fillInStackTrace());
} catch(MojoFailureException e) {
throw e;
} catch(Exception e) {
@@ -194,6 +210,31 @@ public class MosecTest extends AbstractMojo {
getLog().error(Constants.ERROR_GENERAL);
getLog().error(Constants.ERROR_RERUN_WITH_DEBUG);
}
throw new MojoFailureException(e.getMessage(), e.fillInStackTrace());
}
}
@SuppressWarnings("unchecked")
private boolean isAnalyzeTotalFinished() {
if (totalProjectsByGAV == null) {
Object key = repositorySystemSession.getWorkspaceReader().getRepository().getKey();
if (key instanceof HashSet) {
HashSet<String> gavs = (HashSet<String>) key;
totalProjectsByGAV = (List<String>) gavs.stream().collect(Collectors.toList());
} else {
return false;
}
}
List<String> analyzedProjectsByGAV = collectTree.stream()
.map(o -> String.format("%s:%s", o.get("name").getAsString(), o.get("version").getAsString()))
.collect(Collectors.toList());
if (totalProjectsByGAV == null
|| analyzedProjectsByGAV == null
|| totalProjectsByGAV.size() != analyzedProjectsByGAV.size()
) {
return false;
}
return new TreeSet<String>(totalProjectsByGAV).equals(new TreeSet<String>(analyzedProjectsByGAV));
}
}

13
src/main/java/com/immomo/momosec/maven/plugins/ProjectDependencyCollector.java
View File

@@ -15,8 +15,10 @@
*/
package com.immomo.momosec.maven.plugins;
import com.google.gson.Gson;
import com.google.gson.JsonArray;
import com.google.gson.JsonObject;
import org.apache.maven.model.Model;
import org.apache.maven.project.MavenProject;
import org.eclipse.aether.DefaultRepositorySystemSession;
import org.eclipse.aether.RepositorySystem;
@@ -93,6 +95,17 @@ public class ProjectDependencyCollector {
DependencyNode node = collectResult.getRoot();
this.tree = createJsonTree(node, null);
MavenProject parent = this.project.getParent();
if (parent == null) {
this.tree.add("parent", new JsonObject());
} else {
JsonObject jParent = new JsonObject();
jParent.addProperty("name", String.format("%s:%s", parent.getGroupId(), parent.getArtifactId()));
jParent.addProperty("version", parent.getVersion());
this.tree.add("parent", jParent);
}
tree.add("modules", (new Gson()).toJsonTree(this.project.getModules()).getAsJsonArray());
}
private JsonObject createJsonTree(DependencyNode depNode, JsonArray ancestors) {

138
src/test/java/com/immomo/momosec/maven/plugins/TestMosecTest.java
View File

@@ -15,15 +15,38 @@
*/
package com.immomo.momosec.maven.plugins;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.StatusLine;
import org.apache.http.client.HttpClient;
import org.apache.maven.plugin.logging.Log;
import org.apache.maven.plugin.testing.MojoRule;
import org.apache.maven.plugin.testing.resources.TestResources;
import org.eclipse.aether.RepositorySystem;
import org.eclipse.aether.artifact.DefaultArtifact;
import org.eclipse.aether.collection.CollectResult;
import org.eclipse.aether.graph.DefaultDependencyNode;
import org.eclipse.aether.graph.DependencyNode;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.junit.runner.RunWith;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.modules.junit4.PowerMockRunner;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;
import static org.mockito.ArgumentMatchers.any;
import static org.powermock.api.mockito.PowerMockito.*;
@RunWith(PowerMockRunner.class)
@PrepareForTest({HttpClientHelper.class, MosecTest.class})
public class TestMosecTest {
@Rule
@@ -41,8 +64,6 @@ public class TestMosecTest {
public void invalidProjectTest() throws Exception {
File projectCopy = this.resources.getBasedir("empty-dir");
File pom = new File(projectCopy, "pom.xml");
Assert.assertNotNull(pom);
Assert.assertFalse(pom.exists());
exceptionRule.expect(java.io.FileNotFoundException.class);
exceptionRule.expectMessage("(No such file or directory)");
@@ -52,14 +73,117 @@ public class TestMosecTest {
@Test
public void validProjectTest() throws Exception {
File projectCopy = this.resources.getBasedir("valid-project");
File pom = new File(projectCopy, "pom.xml");
Assert.assertNotNull(pom);
Assert.assertTrue(pom.exists());
File pom = getPom("valid-project", "pom.xml");
MosecTest mosecTest = (MosecTest)this.rule.lookupMojo("test", pom);
Assert.assertNotNull(mosecTest);
}
@Test
public void onlyAnalyzeWithoutEndpointPom() throws Exception {
File pom = getPom("valid-project", "onlyAnalyzeWithoutEndpointPom.xml");
MosecTest mosecTest = spy((MosecTest) this.rule.lookupMojo("test", pom));
RepositorySystem mockRepositorySystem = mock(RepositorySystem.class);
CollectResult mockCollectResult = mock(CollectResult.class);
DependencyNode mockRoot = new DefaultDependencyNode(
new DefaultArtifact("com.immomo.momosec", "MyTestProject", "jar", "1.0.0"));
when(mosecTest.getLog()).thenReturn(mock(Log.class));
when(mockRepositorySystem.collectDependencies(any(), any())).thenReturn(mockCollectResult);
when(mockCollectResult.getRoot()).thenReturn(mockRoot);
Field repoSystemField = mosecTest.getClass().getDeclaredField("repositorySystem");
repoSystemField.setAccessible(true);
repoSystemField.set(mosecTest, mockRepositorySystem);
mosecTest.execute();
}
@Test
public void onlyAnalyzeWithEndpointPom() throws Exception {
File pom = getPom("valid-project", "onlyAnalyzeWithEndpointPom.xml");
MosecTest mosecTest = spy((MosecTest) this.rule.lookupMojo("test", pom));
RepositorySystem mockRepositorySystem = mock(RepositorySystem.class);
CollectResult mockCollectResult = mock(CollectResult.class);
DependencyNode mockRoot = new DefaultDependencyNode(
new DefaultArtifact("com.immomo.momosec", "MyTestProject", "jar", "1.0.0"));
when(mosecTest.getLog()).thenReturn(mock(Log.class));
when(mockRepositorySystem.collectDependencies(any(), any())).thenReturn(mockCollectResult);
when(mockCollectResult.getRoot()).thenReturn(mockRoot);
Field repoSystemField = mosecTest.getClass().getDeclaredField("repositorySystem");
repoSystemField.setAccessible(true);
repoSystemField.set(mosecTest, mockRepositorySystem);
mosecTest.execute();
}
@Test
public void testFailOnVulnWithTruePom() throws Exception {
File pom = getPom("valid-project", "failOnVulnWithTruePom.xml");
exceptionRule.expectMessage("Dependency Vulnerable Found!");
failOnVulnPomRunner(pom);
}
@Test
public void testFailOnVulnWithFalsePom() throws Exception {
File pom = getPom("valid-project", "failOnVulnWithFalsePom.xml");
failOnVulnPomRunner(pom);
}
private void failOnVulnPomRunner(File pom) throws Exception {
MosecTest mosecTest = spy((MosecTest) this.rule.lookupMojo("test", pom));
RepositorySystem mockRepositorySystem = mock(RepositorySystem.class);
CollectResult mockCollectResult = mock(CollectResult.class);
DependencyNode mockRoot = new DefaultDependencyNode(
new DefaultArtifact("com.immomo.momosec", "MyTestProject", "jar", "1.0.0"));
HttpClientHelper mockHttpClientHelper = mock(HttpClientHelper.class);
HttpClient mockHttpClient = mock(HttpClient.class);
HttpResponse mockHttpResponse = mock(HttpResponse.class);
StatusLine mockStatusLine = mock(StatusLine.class);
HttpEntity mockHttpEntity = mock(HttpEntity.class);
when(mosecTest.getLog()).thenReturn(mock(Log.class));
when(mockRepositorySystem.collectDependencies(any(), any())).thenReturn(mockCollectResult);
when(mockCollectResult.getRoot()).thenReturn(mockRoot);
whenNew(HttpClientHelper.class).withAnyArguments().thenReturn(mockHttpClientHelper);
when(mockHttpClientHelper.buildHttpClient()).thenReturn(mockHttpClient);
when(mockHttpClient.execute(any())).thenReturn(mockHttpResponse);
when(mockHttpResponse.getStatusLine()).thenReturn(mockStatusLine);
when(mockStatusLine.getStatusCode()).thenReturn(200);
String vuln = "{\"ok\":false, \"dependencyCount\": 2, \"vulnerabilities\":[{" +
"\"severity\": \"High\"," +
"\"title\": \"Fastjson RCE\"," +
"\"cve\": \"CVE-0000-0001\"," +
"\"packageName\": \"com.alibaba:fastjson\"," +
"\"version\": \"1.2.33\"," +
"\"target_version\": [\"1.2.80\"]" +
"}]}";
InputStream httpResponseContent = new ByteArrayInputStream(vuln.getBytes());
when(mockHttpResponse.getEntity()).thenReturn(mockHttpEntity);
when(mockHttpEntity.getContent()).thenReturn(httpResponseContent);
Field repoSystemField = mosecTest.getClass().getDeclaredField("repositorySystem");
repoSystemField.setAccessible(true);
repoSystemField.set(mosecTest, mockRepositorySystem);
mosecTest.execute();
}
public File getPom(String baseDir, String fn) throws IOException {
File projectCopy = this.resources.getBasedir(baseDir);
File pom = new File(projectCopy, fn);
Assert.assertNotNull(pom);
Assert.assertTrue(pom.exists());
return pom;
}
}

31
src/test/java/com/immomo/momosec/maven/plugins/stubs/MyTestProjectSystemSessionStub.java
View File

@@ -15,8 +15,11 @@
*/
package com.immomo.momosec.maven.plugins.stubs;
import org.apache.maven.model.Model;
import org.apache.maven.repository.internal.MavenWorkspaceReader;
import org.codehaus.plexus.PlexusTestCase;
import org.eclipse.aether.*;
import org.eclipse.aether.artifact.Artifact;
import org.eclipse.aether.artifact.ArtifactType;
import org.eclipse.aether.artifact.ArtifactTypeRegistry;
import org.eclipse.aether.collection.*;
@@ -25,8 +28,12 @@ import org.eclipse.aether.repository.*;
import org.eclipse.aether.resolution.ArtifactDescriptorPolicy;
import org.eclipse.aether.resolution.ResolutionErrorPolicy;
import org.eclipse.aether.transfer.TransferListener;
import org.eclipse.aether.util.repository.ChainedWorkspaceReader;
import java.io.File;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
public class MyTestProjectSystemSessionStub implements RepositorySystemSession {
@@ -103,7 +110,29 @@ public class MyTestProjectSystemSessionStub implements RepositorySystemSession {
@Override
public WorkspaceReader getWorkspaceReader() {
return null;
return new MavenWorkspaceReader() {
@Override
public Model findModel(Artifact artifact) {
return null;
}
@Override
public WorkspaceRepository getRepository() {
return new WorkspaceRepository("mock", new HashSet<String>(){{
add("com.immomo.momosec:MyTestProject:1.0.0");
}});
}
@Override
public File findArtifact(Artifact artifact) {
return null;
}
@Override
public List<String> findVersions(Artifact artifact) {
return null;
}
};
}
@Override

1
src/test/resources/projects/empty-dir/foo
View File

@@ -0,0 +1 @@

66
src/test/resources/projects/module-project/dumpDepFile.txt Normal file
View File

@@ -0,0 +1,66 @@
[
{
"version": "1.0.0",
"name": "com.immomo.momosec:ModuleProject",
"from": [
"com.immomo.momosec:ModuleProject@1.0.0"
],
"dependencies": {},
"parent": {},
"modules": [
"moduleA",
"moduleB"
]
},
{
"version": "1.0.0",
"name": "com.immomo.momosec:ModuleA",
"from": [
"com.immomo.momosec:ModuleA@1.0.0"
],
"dependencies": {},
"parent": {
"name": "com.immomo.momosec:ModuleProject",
"version": "1.0.0"
},
"modules": [
"moduleSubA"
]
},
{
"version": "1.0.0",
"name": "com.immomo.momosec:ModuleSubA",
"from": [
"com.immomo.momosec:ModuleSubA@1.0.0"
],
"dependencies": {
"com.alibaba:fastjson": {
"version": "1.2.33",
"name": "com.alibaba:fastjson",
"from": [
"com.immomo.momosec:ModuleSubA@1.0.0",
"com.alibaba:fastjson@1.2.33"
],
"dependencies": {}
}
},
"parent": {
"name": "com.immomo.momosec:ModuleA",
"version": "1.0.0"
},
"modules": []
},
{
"version": "1.0.0",
"name": "com.immomo.momosec:ModuleB",
"from": [
"com.immomo.momosec:ModuleB@1.0.0"
],
"dependencies": {},
"parent": {
"name": "com.immomo.momosec:ModuleProject",
"version": "1.0.0"
},
"modules": []
}
]

19
src/test/resources/projects/module-project/moduleA/moduleSubA/pom.xml Normal file
View File

@@ -0,0 +1,19 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>com.immomo.momosec</groupId>
<artifactId>ModuleA</artifactId>
<version>1.0.0</version>
</parent>
<artifactId>ModuleSubA</artifactId>
<packaging>pom</packaging>
<dependencies>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
</dependency>
</dependencies>
</project>

16
src/test/resources/projects/module-project/moduleA/pom.xml Normal file
View File

@@ -0,0 +1,16 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>com.immomo.momosec</groupId>
<artifactId>ModuleProject</artifactId>
<version>1.0.0</version>
</parent>
<artifactId>ModuleA</artifactId>
<packaging>pom</packaging>
<modules>
<module>moduleSubA</module>
</modules>
</project>

13
src/test/resources/projects/module-project/moduleB/pom.xml Normal file
View File

@@ -0,0 +1,13 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>com.immomo.momosec</groupId>
<artifactId>ModuleProject</artifactId>
<version>1.0.0</version>
</parent>
<artifactId>ModuleB</artifactId>
<packaging>pom</packaging>
</project>

26
src/test/resources/projects/module-project/pom.xml Normal file
View File

@@ -0,0 +1,26 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.immomo.momosec</groupId>
<artifactId>ModuleProject</artifactId>
<packaging>pom</packaging>
<version>1.0.0</version>
<modules>
<module>moduleA</module>
<module>moduleB</module>
</modules>
<name>Mosec Maven Plugin Test Project</name>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.33</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>

49
src/test/resources/projects/valid-project/failOnVulnWithFalsePom.xml Normal file
View File

@@ -0,0 +1,49 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.immomo.momosec</groupId>
<artifactId>MyTestProject</artifactId>
<version>1.0.0</version>
<name>Mosec Maven Plugin Test Project</name>
<dependencies>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.33</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>com.immomo.momosec</groupId>
<artifactId>mosec-maven-plugin</artifactId>
<configuration>
<!-- The defined stubs -->
<project implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectStub"/>
<settings implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSettingsStub"/>
<repositorySystemSession implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSystemSessionStub" />
<!-- The defined stubs end -->
<remoteProjectRepositories></remoteProjectRepositories>
<remotePluginRepositories></remotePluginRepositories>
<severityLevel>High</severityLevel>
<failOnVuln>False</failOnVuln>
<onlyProvenance>true</onlyProvenance>
<endpoint>https://fake.endpoint.com/</endpoint>
<includeProvidedDependency>false</includeProvidedDependency>
</configuration>
</plugin>
</plugins>
</build>
</project>

49
src/test/resources/projects/valid-project/failOnVulnWithTruePom.xml Normal file
View File

@@ -0,0 +1,49 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.immomo.momosec</groupId>
<artifactId>MyTestProject</artifactId>
<version>1.0.0</version>
<name>Mosec Maven Plugin Test Project</name>
<dependencies>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.33</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>com.immomo.momosec</groupId>
<artifactId>mosec-maven-plugin</artifactId>
<configuration>
<!-- The defined stubs -->
<project implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectStub"/>
<settings implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSettingsStub"/>
<repositorySystemSession implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSystemSessionStub" />
<!-- The defined stubs end -->
<remoteProjectRepositories></remoteProjectRepositories>
<remotePluginRepositories></remotePluginRepositories>
<severityLevel>High</severityLevel>
<failOnVuln>True</failOnVuln>
<onlyProvenance>true</onlyProvenance>
<endpoint>https://fake.endpoint.com/</endpoint>
<includeProvidedDependency>false</includeProvidedDependency>
</configuration>
</plugin>
</plugins>
</build>
</project>

50
src/test/resources/projects/valid-project/onlyAnalyzeWithEndpointPom.xml Normal file
View File

@@ -0,0 +1,50 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.immomo.momosec</groupId>
<artifactId>MyTestProject</artifactId>
<version>1.0.0</version>
<name>Mosec Maven Plugin Test Project</name>
<dependencies>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.33</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>com.immomo.momosec</groupId>
<artifactId>mosec-maven-plugin</artifactId>
<configuration>
<!-- The defined stubs -->
<project implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectStub"/>
<settings implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSettingsStub"/>
<repositorySystemSession implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSystemSessionStub" />
<!-- The defined stubs end -->
<remoteProjectRepositories></remoteProjectRepositories>
<remotePluginRepositories></remotePluginRepositories>
<severityLevel>High</severityLevel>
<failOnVuln>False</failOnVuln>
<onlyProvenance>true</onlyProvenance>
<onlyAnalyze>true</onlyAnalyze>
<endpoint>https://fake.endpoint.com/</endpoint>
<includeProvidedDependency>false</includeProvidedDependency>
</configuration>
</plugin>
</plugins>
</build>
</project>

49
src/test/resources/projects/valid-project/onlyAnalyzeWithoutEndpointPom.xml Normal file
View File

@@ -0,0 +1,49 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.immomo.momosec</groupId>
<artifactId>MyTestProject</artifactId>
<version>1.0.0</version>
<name>Mosec Maven Plugin Test Project</name>
<dependencies>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.33</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>com.immomo.momosec</groupId>
<artifactId>mosec-maven-plugin</artifactId>
<configuration>
<!-- The defined stubs -->
<project implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectStub"/>
<settings implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSettingsStub"/>
<repositorySystemSession implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSystemSessionStub" />
<!-- The defined stubs end -->
<remoteProjectRepositories></remoteProjectRepositories>
<remotePluginRepositories></remotePluginRepositories>
<severityLevel>High</severityLevel>
<failOnVuln>False</failOnVuln>
<onlyProvenance>true</onlyProvenance>
<onlyAnalyze>true</onlyAnalyze>
<includeProvidedDependency>false</includeProvidedDependency>
</configuration>
</plugin>
</plugins>
</build>
</project>

29
src/test/resources/projects/vuln-project/pom.xml
View File

@@ -15,12 +15,29 @@
<artifactId>fastjson</artifactId>
<version>1.2.33</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>com.immomo.momosec</groupId>
<artifactId>mosec-maven-plugin</artifactId>
<configuration>
<!-- The defined stubs -->
<project implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectStub"/>
<settings implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSettingsStub"/>
<repositorySystemSession implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSystemSessionStub" />
<!-- The defined stubs end -->
<remoteProjectRepositories></remoteProjectRepositories>
<remotePluginRepositories></remotePluginRepositories>
<severityLevel>High</severityLevel>
<failOnVuln>False</failOnVuln>
<onlyProvenance>true</onlyProvenance>
<endpoint>https://fake.endpoint.com/</endpoint>
<includeProvidedDependency>false</includeProvidedDependency>
</configuration>
</plugin>
</plugins>
</build>
</project>