Skip to content

Commit

Permalink
Demo project for sonatype/ossindex-maven#57
Browse files Browse the repository at this point in the history
  • Loading branch information
Benjamin Krahl committed Dec 17, 2021
0 parents commit ffd4052
Show file tree
Hide file tree
Showing 3 changed files with 154 additions and 0 deletions.
45 changes: 45 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# Introduction

This is a demo project for pull request sonatype/ossindex-maven#57

It was created by using https://start.spring.io/.

POM is modified to use `maven-enforcer-plugin` in version 3.0.0 and `ossindex-maven-enforcer-rules` in version 3.1.1-SNAPSHOT. Version 3.1.0 is not compatible with `maven-enforcer-plugin` in version 3.0.0.

Build will fail because there is a log4j dependency in version 2.15.0 with incomplete fix for CVE-2021-44228 here for testing (low vulnerability).

# Usage
One should try to build this first. Expected error

```
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 7.352 s
[INFO] Finished at: 2021-12-17T08:46:06+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (vulnerability-checks) on project demo: Execution vulnerability-checks of goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce failed: Plugin org.apache.maven.plugins:maven-enforcer-plugin:3.0.0 or one of its dependencies could not be resolved: Could not find artifact org.sonatype.ossindex.maven:ossindex-maven-enforcer-rules:jar:3.1.1-SNAPSHOT in nexus (...) -> [Help 1]
```

Then checkout `ossindex-maven` with `maven-enforcer-plugin` bump to version 3.0.0.

```shell
git clone https://github.com/bkrahl-nli/ossindex-maven.git
cd ossindex-maven
mvn clean install
```

Afterwards try to build this demo project again. Expected error is
```shell
[WARNING] Rule 0: org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies failed with message:
Detected 1 vulnerable components:
org.apache.logging.log4j:log4j-core:jar:2.15.0:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4j-core@2.15.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
* [CVE-2021-45046] It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was i... (3.7); https://ossindex.sonatype.org/vulnerability/edaf092e-e7f3-4c69-8f01-a5c6fc44890a?component-type=maven&component-name=org.apache.logging.log4j.log4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.203 s
[INFO] Finished at: 2021-12-17T08:46:57+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (vulnerability-checks) on project demo: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1]
```
96 changes: 96 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.1</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>

<!-- using vulnerable log4j 2 with incomplete fix for CVE-2021-44228 here for testing (low vulnerability) -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.15.0</version>
</dependency>

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</dependency>
</dependencies>

<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>

<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<!-- Last ossindex-maven-enforcer-rules 3.1.0 release works only with 3.0.0-M1 -->
<version>3.0.0</version>
<executions>
<execution>
<id>vulnerability-checks</id>
<phase>validate</phase>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<banVulnerable implementation="org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies">
<!-- severity ratings: None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0) -->
<cvssScoreThreshold>3.7</cvssScoreThreshold>
<level>ERROR</level>
<!-- <excludeCoordinates>
<exclude>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</exclude>
</excludeCoordinates> -->
</banVulnerable>
</rules>
</configuration>
</execution>
</executions>
<dependencies>
<dependency>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-enforcer-rules</artifactId>
<!-- Last ossindex-maven-enforcer-rules 3.1.0 release works only with 3.0.0-M1 -->
<!-- Switch to 3.1.0 here to see the build fail with maven-enforcer-plugin 3.0.0-->
<version>3.1.1-SNAPSHOT</version>
</dependency>
</dependencies>
</plugin>

</plugins>
</build>

</project>
13 changes: 13 additions & 0 deletions src/main/java/com/example/demo/DemoApplication.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
package com.example.demo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class DemoApplication {

public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}

}

0 comments on commit ffd4052

Please sign in to comment.