-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Demo project for sonatype/ossindex-maven#57
- Loading branch information
Benjamin Krahl
committed
Dec 17, 2021
0 parents
commit ffd4052
Showing
3 changed files
with
154 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# Introduction | ||
|
||
This is a demo project for pull request sonatype/ossindex-maven#57 | ||
|
||
It was created by using https://start.spring.io/. | ||
|
||
POM is modified to use `maven-enforcer-plugin` in version 3.0.0 and `ossindex-maven-enforcer-rules` in version 3.1.1-SNAPSHOT. Version 3.1.0 is not compatible with `maven-enforcer-plugin` in version 3.0.0. | ||
|
||
Build will fail because there is a log4j dependency in version 2.15.0 with incomplete fix for CVE-2021-44228 here for testing (low vulnerability). | ||
|
||
# Usage | ||
One should try to build this first. Expected error | ||
|
||
``` | ||
[INFO] BUILD FAILURE | ||
[INFO] ------------------------------------------------------------------------ | ||
[INFO] Total time: 7.352 s | ||
[INFO] Finished at: 2021-12-17T08:46:06+01:00 | ||
[INFO] ------------------------------------------------------------------------ | ||
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (vulnerability-checks) on project demo: Execution vulnerability-checks of goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce failed: Plugin org.apache.maven.plugins:maven-enforcer-plugin:3.0.0 or one of its dependencies could not be resolved: Could not find artifact org.sonatype.ossindex.maven:ossindex-maven-enforcer-rules:jar:3.1.1-SNAPSHOT in nexus (...) -> [Help 1] | ||
``` | ||
|
||
Then checkout `ossindex-maven` with `maven-enforcer-plugin` bump to version 3.0.0. | ||
|
||
```shell | ||
git clone https://github.com/bkrahl-nli/ossindex-maven.git | ||
cd ossindex-maven | ||
mvn clean install | ||
``` | ||
|
||
Afterwards try to build this demo project again. Expected error is | ||
```shell | ||
[WARNING] Rule 0: org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies failed with message: | ||
Detected 1 vulnerable components: | ||
org.apache.logging.log4j:log4j-core:jar:2.15.0:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4j-core@2.15.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1 | ||
* [CVE-2021-45046] It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was i... (3.7); https://ossindex.sonatype.org/vulnerability/edaf092e-e7f3-4c69-8f01-a5c6fc44890a?component-type=maven&component-name=org.apache.logging.log4j.log4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1 | ||
|
||
[INFO] ------------------------------------------------------------------------ | ||
[INFO] BUILD FAILURE | ||
[INFO] ------------------------------------------------------------------------ | ||
[INFO] Total time: 1.203 s | ||
[INFO] Finished at: 2021-12-17T08:46:57+01:00 | ||
[INFO] ------------------------------------------------------------------------ | ||
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (vulnerability-checks) on project demo: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1] | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> | ||
<modelVersion>4.0.0</modelVersion> | ||
<parent> | ||
<groupId>org.springframework.boot</groupId> | ||
<artifactId>spring-boot-starter-parent</artifactId> | ||
<version>2.6.1</version> | ||
<relativePath/> <!-- lookup parent from repository --> | ||
</parent> | ||
<groupId>com.example</groupId> | ||
<artifactId>demo</artifactId> | ||
<version>0.0.1-SNAPSHOT</version> | ||
<name>demo</name> | ||
<description>Demo project for Spring Boot</description> | ||
<properties> | ||
<java.version>1.8</java.version> | ||
</properties> | ||
<dependencies> | ||
<dependency> | ||
<groupId>org.springframework.boot</groupId> | ||
<artifactId>spring-boot-starter</artifactId> | ||
</dependency> | ||
|
||
<dependency> | ||
<groupId>org.springframework.boot</groupId> | ||
<artifactId>spring-boot-starter-test</artifactId> | ||
<scope>test</scope> | ||
</dependency> | ||
|
||
<!-- using vulnerable log4j 2 with incomplete fix for CVE-2021-44228 here for testing (low vulnerability) --> | ||
<dependency> | ||
<groupId>org.apache.logging.log4j</groupId> | ||
<artifactId>log4j-api</artifactId> | ||
<version>2.15.0</version> | ||
</dependency> | ||
|
||
<dependency> | ||
<groupId>org.apache.logging.log4j</groupId> | ||
<artifactId>log4j-core</artifactId> | ||
<version>2.15.0</version> | ||
</dependency> | ||
</dependencies> | ||
|
||
<build> | ||
<plugins> | ||
<plugin> | ||
<groupId>org.springframework.boot</groupId> | ||
<artifactId>spring-boot-maven-plugin</artifactId> | ||
</plugin> | ||
|
||
<plugin> | ||
<groupId>org.apache.maven.plugins</groupId> | ||
<artifactId>maven-enforcer-plugin</artifactId> | ||
<!-- Last ossindex-maven-enforcer-rules 3.1.0 release works only with 3.0.0-M1 --> | ||
<version>3.0.0</version> | ||
<executions> | ||
<execution> | ||
<id>vulnerability-checks</id> | ||
<phase>validate</phase> | ||
<goals> | ||
<goal>enforce</goal> | ||
</goals> | ||
<configuration> | ||
<rules> | ||
<banVulnerable implementation="org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies"> | ||
<!-- severity ratings: None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0) --> | ||
<cvssScoreThreshold>3.7</cvssScoreThreshold> | ||
<level>ERROR</level> | ||
<!-- <excludeCoordinates> | ||
<exclude> | ||
<groupId>org.apache.logging.log4j</groupId> | ||
<artifactId>log4j-core</artifactId> | ||
<version>2.15.0</version> | ||
</exclude> | ||
</excludeCoordinates> --> | ||
</banVulnerable> | ||
</rules> | ||
</configuration> | ||
</execution> | ||
</executions> | ||
<dependencies> | ||
<dependency> | ||
<groupId>org.sonatype.ossindex.maven</groupId> | ||
<artifactId>ossindex-maven-enforcer-rules</artifactId> | ||
<!-- Last ossindex-maven-enforcer-rules 3.1.0 release works only with 3.0.0-M1 --> | ||
<!-- Switch to 3.1.0 here to see the build fail with maven-enforcer-plugin 3.0.0--> | ||
<version>3.1.1-SNAPSHOT</version> | ||
</dependency> | ||
</dependencies> | ||
</plugin> | ||
|
||
</plugins> | ||
</build> | ||
|
||
</project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
package com.example.demo; | ||
|
||
import org.springframework.boot.SpringApplication; | ||
import org.springframework.boot.autoconfigure.SpringBootApplication; | ||
|
||
@SpringBootApplication | ||
public class DemoApplication { | ||
|
||
public static void main(String[] args) { | ||
SpringApplication.run(DemoApplication.class, args); | ||
} | ||
|
||
} |