Author: Ondra Zizka
Level: Intermediate
Summary: Windup rule that reports on use of Java libraries affected by CVE security vulnerabilites
Source: https://github.com/windup/windup-quickstarts/
Java developers can easily incorporate 3rd party components and JARs into applications, exposing them to security vulnerabilities. The victi.ms is a database of known vulnerable JAR files and Java artifacts affected by known CVE (Common Vulnerabilities and Exposures) issues.
This quickstart demonstrates advanced Ruleset authoring with interacting rules and an external dependency.
For more information, see:
These instructions use the following replaceable variables.
-
WINDUP_HOME
: Replace this variable with the fully qualified path to your Windup installation. -
QUICKSTART_HOME
: Replace this variable with the fully qualified path to the root directory of this quickstart.
The victi.ms
quickstart contains the following rules.
-
CheckArchivesWithVictimsRules
extendsAbstractRuleProvider
and implements Victi.ms related rules. -
ComputeArchivesSHA512Rules
extendsIteratingRuleProvider
and calculates SHA512 hash for each archive. -
UpdateVictimsDbRules
extendsAbstractRuleProvider
and implements Victi.ms rule related to database update and archive hash comparisons. -
VictimsReportRules
extendsAbstractRuleProvider
and creates a report for all the ignored files, including the regexes they were matched against.
The Windup JavaDoc is located here: http://windup.github.io/windup/docs/latest/javadoc/
The rule this project produces is designed to be run on Windup 2.x or later.
This project requires Java 7 (Java SDK 1.7) or later and Maven 3.0 or later.
If you have not installed Windup, follow the instructions here: Download and Install Windup.
If you have not yet installed and configured Maven, follow the instructions here: Install and Configure Maven.
Before Windup can use this rule, it must be compiled and added to the local Maven repository.
-
Open a command prompt and navigate to the
QUICKSTART_HOME/rules-java/
directory. -
Type the following command to compile the quickstart and install it into the local Maven repository:
mvn clean install
-
You should see the message
BUILD SUCCESS
You add the rule to Windup using its Maven GAV (groupId, artifactId, and optional version), which is defined in the quickstart POM file. The command takes the following form:
WINDUP_HOME/bin/windup --install GROUP_ID:ARTIFACT_ID[,VERSION]
To find these values, open the QUICKSTART_HOME/pom.xml file. These values are located near the beginning of the file.
<groupId>org.jboss.windup.quickstarts</groupId>
<artifactId>windup-victims</artifactId>
<version>2.6.0-SNAPSHOT
</version>
Follow these steps to add the rule to Windup.
-
Open a command prompt and navigate to the
WINDUP_HOME
directory. -
Type the following command.
bin/windup --install org.jboss.windup.quickstarts:windup-victims
-
At the following prompt, choose
Y
.Confirm installation [Y/n]? Y
-
You should see the following result.
Installation completed successfully.
-
Type
exit
to exit the Windup console.
This quickstart provides Arquillian tests.
-
Open a command prompt and navigate to the
QUICKSTART_HOME/rules-java/
directory. -
Type the following command to run the test goal.
mvn clean test
-
You should see the following results.
Results : Tests run: 2, Failures: 0, Errors: 0, Skipped: 0
You remove the rule from Windup using its Maven GAV (groupId, artifactId, and optional version).
The command takes the following form:
WINDUP_HOME/bin/windup --remove GROUP_ID:ARTIFACT_ID[,VERSION]
Follow these steps to remove the rule from Windup.
-
Open a command prompt and navigate to the
WINDUP_HOME
directory. -
Type the following command.
bin/windup --remove org.jboss.windup.quickstarts:windup-victims
-
You should see the following response.
***SUCCESS*** Removed addons: org.jboss.windup.quickstarts:windup-victims