Skip to content

Latest commit

 

History

History
159 lines (111 loc) · 4.88 KB

README.adoc

File metadata and controls

159 lines (111 loc) · 4.88 KB

victi.ms: Windup Rule That Detects Usage of Java Libraries Affected by CVE Security Vulnerabilities

Author: Ondra Zizka
Level: Intermediate
Summary: Windup rule that reports on use of Java libraries affected by CVE security vulnerabilites
Source: https://github.com/windup/windup-quickstarts/

What is it?

Java developers can easily incorporate 3rd party components and JARs into applications, exposing them to security vulnerabilities. The victi.ms is a database of known vulnerable JAR files and Java artifacts affected by known CVE (Common Vulnerabilities and Exposures) issues.

This quickstart demonstrates advanced Ruleset authoring with interacting rules and an external dependency.

For more information, see:

These instructions use the following replaceable variables.

  • WINDUP_HOME: Replace this variable with the fully qualified path to your Windup installation.

  • QUICKSTART_HOME: Replace this variable with the fully qualified path to the root directory of this quickstart.

Review the Quickstart Code

The victi.ms quickstart contains the following rules.

  • CheckArchivesWithVictimsRules extends AbstractRuleProvider and implements Victi.ms related rules.

  • ComputeArchivesSHA512Rules extends IteratingRuleProvider and calculates SHA512 hash for each archive.

  • UpdateVictimsDbRules extends AbstractRuleProvider and implements Victi.ms rule related to database update and archive hash comparisons.

  • VictimsReportRules extends AbstractRuleProvider and creates a report for all the ignored files, including the regexes they were matched against.

The Windup JavaDoc is located here: http://windup.github.io/windup/docs/latest/javadoc/

System requirements

The rule this project produces is designed to be run on Windup 2.x or later.

This project requires Java 7 (Java SDK 1.7) or later and Maven 3.0 or later.

Install Windup

If you have not installed Windup, follow the instructions here: Download and Install Windup.

Configure Maven

If you have not yet installed and configured Maven, follow the instructions here: Install and Configure Maven.

Build the Quickstart Rule Add-on

Before Windup can use this rule, it must be compiled and added to the local Maven repository.

  1. Open a command prompt and navigate to the QUICKSTART_HOME/rules-java/ directory.

  2. Type the following command to compile the quickstart and install it into the local Maven repository:

    mvn clean install
  3. You should see the message BUILD SUCCESS

Add the Quickstart Rule to Windup

You add the rule to Windup using its Maven GAV (groupId, artifactId, and optional version), which is defined in the quickstart POM file. The command takes the following form:

WINDUP_HOME/bin/windup --install GROUP_ID:ARTIFACT_ID[,VERSION]

To find these values, open the QUICKSTART_HOME/pom.xml file. These values are located near the beginning of the file.

<groupId>org.jboss.windup.quickstarts</groupId>
<artifactId>windup-victims</artifactId>
<version>2.6.0-SNAPSHOT
</version>

Follow these steps to add the rule to Windup.

  1. Open a command prompt and navigate to the WINDUP_HOME directory.

  2. Type the following command.

    bin/windup --install org.jboss.windup.quickstarts:windup-victims
  3. At the following prompt, choose Y.

    Confirm installation [Y/n]? Y
  4. You should see the following result.

    Installation completed successfully.
  5. Type exit to exit the Windup console.

Run the Arquillian Tests

This quickstart provides Arquillian tests.

  1. Open a command prompt and navigate to the QUICKSTART_HOME/rules-java/ directory.

  2. Type the following command to run the test goal.

    mvn clean test
  3. You should see the following results.

    Results :
    
    Tests run: 2, Failures: 0, Errors: 0, Skipped: 0

Remove the Quickstart Rule from Windup

You remove the rule from Windup using its Maven GAV (groupId, artifactId, and optional version).

The command takes the following form:

WINDUP_HOME/bin/windup --remove GROUP_ID:ARTIFACT_ID[,VERSION]

Follow these steps to remove the rule from Windup.

  1. Open a command prompt and navigate to the WINDUP_HOME directory.

  2. Type the following command.

    bin/windup --remove org.jboss.windup.quickstarts:windup-victims
  3. You should see the following response.

    ***SUCCESS*** Removed addons: org.jboss.windup.quickstarts:windup-victims