Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Maven owasp dep update #776

Merged
merged 4 commits into from
Apr 6, 2020
Merged

Maven owasp dep update #776

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
30ff6bf
add pmd and owasp dependency check through -P owasp profile
zubcevic Apr 3, 2020
69f5cea
suppress full stack trace in log
zubcevic Apr 3, 2020
0e031e0
revert to spring 2.2.0 as 2.2.4 failed in travis
zubcevic Apr 4, 2020
2d74cc1
added owasp dependency check maven configuration details to vulenerable
zubcevic Apr 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,746 changes: 1,746 additions & 0 deletions pmd-ruleset.xml
View file
Open in desktop

Large diffs are not rendered by default.

97 changes: 84 additions & 13 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,6 @@
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<scope>provided</scope>
<version>${lombok.version}</version>
<optional>true</optional>
</dependency>
<dependency>
Expand All @@ -163,22 +162,50 @@
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
<version>2.3.0</version>
</dependency>
</dependencies>

<build>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>11</source>
<target>11</target>
<encoding>UTF-8</encoding>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>3.1.0</version>
<configuration>
<encoding>UTF-8</encoding>
<consoleOutput>true</consoleOutput>
<failsOnError>true</failsOnError>
<configLocation>config/checkstyle/checkstyle.xml</configLocation>
<suppressionsLocation>config/checkstyle/suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
</plugins>
</build>

<profiles>
<profile>
<id>defaultProfile</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
</profile>
<profile>
<id>owasp</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>${maven-compiler-plugin.version}</version>
<configuration>
<source>11</source>
<target>11</target>
<encoding>UTF-8</encoding>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
Expand All @@ -192,8 +219,52 @@
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.13.0</version>
<configuration>
<targetJdk>11</targetJdk>
<failurePriority>1</failurePriority><!-- 5 means fail even on the lowest
priority, 0 means never fail -->
<rulesets>
<ruleset>${maven.multiModuleProjectDirectory}/pmd-ruleset.xml</ruleset>
</rulesets>
<failOnViolation>true</failOnViolation>
<printFailingErrors>true</printFailingErrors>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.3.2</version>
<configuration>
<failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>true</skipProvidedScope>
<skipRuntimeScope>true</skipRuntimeScope>
<suppressionFiles>
<suppressionFile>project-suppression.xml</suppressionFile>
</suppressionFiles>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>

<repositories>
<repository>
Expand Down
40 changes: 40 additions & 0 deletions project-suppression.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on spring framework.
]]></notes>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
<cve>CVE-2020-5398</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on spring framework.
]]></notes>
<cpe>cpe:/a:redhat:undertow</cpe>
<cve>CVE-2019-14888</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on spring framework.
]]></notes>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress base="true">
<cpe>cpe:/a:jruby:jruby</cpe>
<cve>CVE-2018-1000613</cve>
<cve>CVE-2018-1000180</cve>
<cve>CVE-2017-18640</cve>
<cve>CVE-2011-4838</cve>
</suppress>
<suppress base="true"><!-- vulnerable components lesson -->
<cpe>cpe:/a:xstream_project:xstream</cpe>
<cve>CVE-2017-7957</cve>
<cve>CVE-2016-3674</cve>
</suppress>
<suppress base="true"><!-- webgoat-server -->
<cpe>cpe:/a:postgresql:postgresql</cpe>
<cve>CVE-2018-10936</cve>
</suppress>
</suppressions>
8 changes: 1 addition & 7 deletions webgoat-container/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<groupId>org.owasp.webgoat</groupId>
<name>webgoat-container</name>
<modelVersion>4.0.0</modelVersion>
<artifactId>webgoat-container</artifactId>
Expand All @@ -18,7 +17,6 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>${maven-surefire-plugin.version}</version>
<configuration>
<forkCount>0</forkCount>
<reuseForks>true</reuseForks>
Expand All @@ -30,7 +28,6 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>3.0.2</version>
<executions>
<execution>
<goals>
Expand Down Expand Up @@ -88,7 +85,6 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>${commons-lang3.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
Expand All @@ -105,7 +101,6 @@
<dependency>
<groupId>org.hsqldb</groupId>
<artifactId>hsqldb</artifactId>
<version>${hsqldb.version}</version>
</dependency>

<!-- ************* END spring MVC and related dependencies ************** -->
Expand All @@ -118,13 +113,12 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>4.1.3.RELEASE</version>
<!-- <version>4.1.3.RELEASE</version>-->
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>${junit.version}</version>
<type>jar</type>
<scope>test</scope>
</dependency>
Expand Down
4 changes: 2 additions & 2 deletions webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@
@AllArgsConstructor
public class LessonProgressService {

private UserTrackerRepository userTrackerRepository;
private WebSession webSession;
private final UserTrackerRepository userTrackerRepository;
private final WebSession webSession;

/**
* Endpoint for fetching the complete lesson overview which informs the user about whether all the assignments are solved.
Expand Down
8 changes: 4 additions & 4 deletions webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ public class ReportCardService {
@GetMapping(path = "/service/reportcard.mvc", produces = "application/json")
@ResponseBody
public ReportCard reportCard() {
ReportCard reportCard = new ReportCard();
final ReportCard reportCard = new ReportCard();
reportCard.setTotalNumberOfLessons(course.getTotalOfLessons());
reportCard.setTotalNumberOfAssignments(course.getTotalOfAssignments());

Expand All @@ -76,7 +76,7 @@ public ReportCard reportCard() {
reportCard.setNumberOfLessonsSolved(userTracker.numberOfLessonsSolved());
for (Lesson lesson : course.getLessons()) {
LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
LessonStatistics lessonStatistics = new LessonStatistics();
final LessonStatistics lessonStatistics = new LessonStatistics();
lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle()));
lessonStatistics.setNumberOfAttempts(lessonTracker.getNumberOfAttempts());
lessonStatistics.setSolved(lessonTracker.isLessonSolved());
Expand All @@ -87,7 +87,7 @@ public ReportCard reportCard() {

@Getter
@Setter
private class ReportCard {
private final class ReportCard {

private int totalNumberOfLessons;
private int totalNumberOfAssignments;
Expand All @@ -99,7 +99,7 @@ private class ReportCard {

@Setter
@Getter
private class LessonStatistics {
private final class LessonStatistics {
private String name;
private boolean solved;
private int numberOfAttempts;
Expand Down
2 changes: 1 addition & 1 deletion ...path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ public void initAssignment() {
try {
copy(getFile(getClass().getResource("/images/cats/" + i + ".jpg")), new File(catPicturesDirectory, i + ".jpg"));
} catch (Exception e) {
log.error("Unable to copy pictures", e);
log.error("Unable to copy pictures" + e.getMessage());
}
}
var secretDirectory = this.catPicturesDirectory.getParentFile().getParentFile();
Expand Down
53 changes: 52 additions & 1 deletion ...components/src/main/resources/lessonPlans/en/VulnerableComponents_content4.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,58 @@

There are several open source and paid-for solutions that will identify risk in components. However, there are not many tools that will deliver a complete list of "ingredients" used within an application. OWASP Dependency Check provides the ability to generate a bill of materials and identify potential security risk.

Dependency check uses several pieces of evidence to determine the library names. Below is a snippet of a report:
Dependency check uses several pieces of evidence to determine the library names. You can add OWASP Dependency check as a plugin to the pom.xml of a Maven project for instance. The plugin will download information from public vulnerability databases and it will check if vulnerable libraries are used and will indicate which vulnerability was reported.

As part of a development pipeline, you can instruct the plugin to fail the build if there are violations that the development team was not aware of. Additionally you can use an xml file to waiver some of the violations. You should do so if the mentioned vulnerability cannot be exploited in your application.

In the parent pom.xml from WebGoat you can see an example:

[source,xml]
----
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.3.2</version>
<configuration>
<failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>true</skipProvidedScope>
<skipRuntimeScope>true</skipRuntimeScope>
<suppressionFiles>
<suppressionFile>project-suppression.xml</suppressionFile>
</suppressionFiles>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
----

And also an example of the suppressed violations.

[source,xml]
----
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress base="true">
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress base="true"><!-- webgoat-server -->
<cpe>cpe:/a:postgresql:postgresql</cpe>
<cve>CVE-2018-10936</cve>
</suppress>
</suppressions>
----

In the case of WebGoat, the plugin is activated when the following is run (owasp profile):

mvn clean install -Powasp

Below is a snippet of a report, which can be found in e.g. webgoat-container/target/dependency-check-report.html:

image::images/OWASP-Dep-Check.png[caption="Figure: ", title="WebGoat Bill of Materials", alt="BoM", width="988", height="515", style="lesson-image"]

Expand Down
2 changes: 0 additions & 2 deletions webgoat-server/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,6 @@
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>42.2.2</version>
</dependency>
</dependencies>

Expand Down Expand Up @@ -197,7 +196,6 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>3.1.2</version>
<executions>
<execution>
<phase>test-compile</phase>
Expand Down
Loading