Create PL/SQL script handling errors

Problem

The aim of this article is to create a shell script calling a pl/sql script. These two scripts should handle errors an generate logs.

Solution

This article will present the shell script and then the pl sql script.

1. The shell script

This shell script will show how to manage inputs, display information and handle errors from pl sql script.

dir=`pwd`
cd "$dir"

# Prints the usage
usage()
{
    printf "$0 -a input1 -b input2 \n"
    printf "Script called.\n"
    printf "\t-a input1\t: my first input\n";
    printf "\t-b input2\t: my second input\n";
    printf "\t-h\t\t: shows usage\n";
    printf "\n"
    exit 1;
}

# Processes the options on the command line
processInputs()
{

# user of the database
USER=user

# pass of the database
PASS=pass
# service can be found in tnsnames.ora
SERVICE=service

INPUT1=
INPUT2=
while getopts "a:b" name; do
      case $name in
      a) INPUT1=$INPUT1 ;;
      b) INPUT2=$INPUT2 ;;   
      h) usage ;;
      \?)  usage ;;
      esac
done


if [ -z "$INPUT1" ]; then
    printf "ERROR: input 1 is not specified\n"
    usage;
fi

if [ -z "$INPUT2" ]; then
    printf "ERROR: input 2 is not specified\n"
    usage;
fi

echo "call pl sql script"
sqlplus -S $USER/$PASS@$SERVICE @mypl_sql_script.sql
sql_return_code=$?

if [ $sql_return_code != 0 ]
then
echo "error in the script"
echo "Error code $sql_return_code"
exit 0;
fi
echo "call pl sql script finished"

}

processInputs "$@"

2. The pl sql script

This is a simple pl sql where a rollback is done if any errors occur. Also a log script is generated. This script is called by the previous shell script.


spool log.txt
set serveroutput on
VARIABLE  v_return_code number;
declare
    vrequest varchar2(1000);
    vrequestInsert varchar2(1000);

begin
	vrequest := 'SELECT * FROM CUSTOMER_USER WHERE NAME= ''john''';
       vrequestInsert := 'Insert into GROUP_USER (ID,VERSION,TYPE,NAME) values (''11'',''0'',''blah'',''admin'')';

execute immediate vrequestInsert ;
        execute immediate vrequest;
execute immediate vrequestInsert ;


       :v_return_code:=0;

     exception
     when others then
        dbms_output.put_line('KO - ' || vrequest || ' - ' || sqlerrm);  
        :v_return_code:=sqlerrm;

        ROLLBACK;
      
end;
/   
spool off

EXIT :v_return_code;

3. Some DDL Statements have auto commit after exceution

For some DDL statements the rollback mechanism does not work.

DDL statements do commit (ALTER/CREATE etc) and this will happen even if something failed. If you’re running EXECUTE IMMEDIATE like dynamic statement that runs a DDL, this will also commit your transaction.

https://stackoverflow.com/questions/18042589/pl-sql-auto-commit-on-execution

I would add that DROP as well does auto commit after execute immediate.

Advertisements

SSH connection from Jenkins

Problem

How to access remotely to a machine from jenkins without storing password ?

– We were using maven ssh plugin to remotely access a machine. However this solution was not satisfying because the password of the username was stored inside a file. We should not expose the password in a file.

Solution

The solution chosen is using the Credentials Jenkins plugin

Configure the job to pass the SSH private-key using an SSH agent

This allows the user to securely provide access to remote resources (using SSH authentication) without exposing the SSH private-key material to the job.

https://support.cloudbees.com/hc/en-us/articles/222121807-Using-an-SSH-agent-to-authenticate-SSH-connections

1. Create key private and key public :

In a linux machine , generate a key pair-value pulic and private , with the following command
ssh-keygen

It generates, in the folder .ssh, two files : id_rsa et id_rsa.pub
o Id_rsa is the private key , it should be added on Jenkins.
o Id_rsa.pub is the public key, it should be added on the distant server to be recognized by Jenkins.

2. Add the public key on the target distant server

We put the public key in the folder .ssh of the home of the user with wich we will access. It is added in the files called authorized_keys of the hidden folder “.ssh”

3. Add the private key in Jenkins

Go to manage Credentials and follow steps from here to add a username which can access the distant machine :

Select “SSH Username with private key”

https://support.cloudbees.com/hc/en-us/articles/222121807-Using-an-SSH-agent-to-authenticate-SSH-connections

4. Modify The build to allow SSH Agent

Choose the username you will like to use to access to the distant machine.

Summary

Following this, it is possible to access remotely with ssh from Jenkins with no login/password. It applied only to the machine which has username with public key in .ssh/authorized_keys folder.

Annex

Ssh Credentials Management :

https://support.cloudbees.com/hc/en-us/articles/222838288-SSH-Credentials-Management-with-Jenkins

CSRF prevention for Wicket

Introduction

This article will show you how to fix a CSRF vulnerability on a website built with Wicket framework. For simplicity this article will focus on fixing a CSRF vulnerability on one form only rather than all forms.

I already talked briefly about CSRF prevention here :
https://julienprog.wordpress.com/2017/08/01/what-is-the-difference-between-xss-and-csrf-vulnerabilities/

First of all i will talk about the CSRF prevention of the Wicket framework and then about the solution i chose based on this article :
https://dzone.com/articles/preventing-csrf-java-web-apps

I would suggest to use Spring security to perform a global solution from the start : http://www.baeldung.com/spring-security-csrf

Is Wicket built-in CSRF prevention efficient ?

Wicket has some built-in listener to detect CSRF and cancelled request :

https://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.html

This solution checked if the origin of the request and the requested URL have the same domain. If it is not true then it is considered as a CSRF attack.
Few problems with this solution:

  • Legitimate request from the same domain can be considered as a CSRF attack. For example the request url was like : example.com/sendform and referer/origin example.com .It seems because the two url are not identical it was considered as an attack.
  • To overcome this problem I allowed all the requested URL coming from the host domain to bypass the CSRF prevention :
    allowedaddAcceptedOrigin("example.com")
    

    I don’t like this solution because we desactivate CSRF prevention for the website domain. All POST/Ajax request are authorised from the website domain.
    Second problem is that i need to put the name of the domain in configuration file.

  • What if the sender does not have Origin/Referrer in the POST request? It happens some legitimate client do not have it. It is considered a CSRF attack in that case.


  • For all these reasons i gave up on the Wicket built-in CSRF prevention technique .

    Token CSRF prevention solution

    I started doing the classic token solution to prevent CSRF . I followed this principle :

    https://dzone.com/articles/preventing-csrf-java-web-apps
    Except in my case i applied anti CSRF measure only to one form. This solution can be improved with the previous article to make the solution more generic to all forms.
    This solution is decomposed like this :

  • Modification of the wicket form to add a anti CSRF token
  • Added a hidden field to the form to identify the form exactly.
  • Add the same anti CSRF token in HttpRequest
  • Add a Filter in the application to filter every request of the form
  • 1. Modification of the wicket form to add a anti CSRF token

    I modified the wicket form to add hidden input “csrftoken”. The input hidden was created in Java in the same time as the token CSRF in HttpRequest. Therefore i skipped the class LoadSalt from the previous article.

    I modified a Wicket form based on this link :
    http://apache-wicket.1842946.n4.nabble.com/Implementing-a-SecureForm-to-avoid-CSRF-attacks-td4666175.html

    public class SecureForm<T> extends Form<T> { 
    ...
    
    private static final String TOKEN_NAME = "SECURE_FORM_TOKEN";
            private static final String TOKEN_CSRF_SESSION = "tokenCSRF";
            private String token;
            
            @Override
            protected void onBeforeRender() {
                super.onBeforeRender();
                this.token = UUID.randomUUID().toString();
            }
            
            @Override
            public void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) {
                // render the hidden field
                if (isRootForm()) {
                    AppendingStringBuffer buffer = new AppendingStringBuffer(
                            "<div style=\"display:none\"><input type=\"hidden\" name=\"");
                    buffer.append(TOKEN_NAME)
                            .append("\" id=\"")
                            .append(TOKEN_NAME)
                            .append("\" value=\"")
                            .append(token)
                            .append("\" /></div>");
                    getResponse().write(buffer);
                }
                
                // CRF prevention applied to only one form "SpecificForm"
                if(panelConf.isSpecificForm())) {
                       
                       String identifyForm = "identifyForm";
                       AppendingStringBuffer buffer = new AppendingStringBuffer(
                                "<div style=\"display:none\"><input type=\"hidden\" name=\"");
                        buffer.append(identifyForm)
                                .append("\" id=\"")
                                .append(identifyForm)
                                .append("\" value=\"")
                                .append(identifyForm)
                                .append("\" /></div>");
                        getResponse().write(buffer);
                }    
                
                HttpServletRequest request = ((HttpServletRequest) getRequest().getContainerRequest());
                <strong>request.getSession().setAttribute(TOKEN_CSRF_SESSION, this.token);</strong>
    
                // do the rest of the processing
                super.onComponentTagBody(markupStream, openTag);
            }
    
  • As you can in the previous code I have added a hidden field “identifyForm” to the form to identify it uniquely. It will be used later on in the filter class in order to apply CSRF prevention only to this form.
  • I have added the anti CSRF token in HttpRequest at the following line
    request.getSession().setAttribute(TOKEN_CSRF_SESSION, this.token);
    

    This token has also been added in the hidden field SECURE_FORM_TOKEN

  • 2. Add a Filter in the application to filter every request of the form

    My second task was to add filter similar to ValidateSalt of dzone link. Because the CSRF protection is on one form only, i have to check that a request was sent for the specific form before checking csrf token.

    
    public class ValidateSalt implements Filter  {
    	
    	private static final Logger LOG = LoggerFactory.getLogger(ValidateSalt.class.getName());
    	private static final String TOKEN_NAME = "SECURE_FORM_TOKEN";
    	private static final String TOKEN_CSRF_SESSION = "tokenCSRF";
    	
        @Override
        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
    
            // Assume its HTTP
            HttpServletRequest httpReq = (HttpServletRequest) request;
    
            // Get the salt sent with the request
            String sessionTokenCSRF = (String) httpReq.getSession().getAttribute(TOKEN_CSRF_SESSION);
            LOG.debug("tokenCSRF : " + sessionTokenCSRF);
            
            String token =(String) httpReq.getParameter(TOKEN_NAME);
            LOG.debug("token : " + token);
    
            
            String identifyForm= (String) httpReq.getParameter("identifyForm");
            LOG.debug("identifyForm: " + identifyForm);
    
    
            if(identifyForm!= null) {
    	        if (sessionTokenCSRF != null &&
    	        		token != null && token.equals(sessionTokenCSRF)){
    
    	            chain.doFilter(request, response);
    	        } else {
    	        	LOG.error("Potential CSRF detected!! Inform a scary sysadmin ASAP.");
    	            // Otherwise we throw an exception aborting the request flow
    	            HttpServletResponse httpResponse = (HttpServletResponse) response;
    	            httpResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
    	        }
            } else {
            	chain.doFilter(request, response);
            }
            
        }
    
        @Override
        public void init(FilterConfig filterConfig) throws ServletException {
        }
    
        @Override
        public void destroy() {
        }
    
    

    In this example, first i check if the request contain the identity of the form. Then i checked for the CSRF token.

    I have also modified web.xml to add the filter :

      <!-- Filter Example 1 -->
      <filter> 
        <filter-name>ValidateSalt</filter-name>
        <filter-class>com.acme.filter.ValidateSalt</filter-class> 
      </filter> 
      <filter-mapping> 
        <filter-name>ValidateSalt</filter-name>
        <url-pattern>/root/forms/*</url-pattern> 
      </filter-mapping> 
      <!-- end Filter Example 1 -->
    

    How to test for CSRF vulnerability ?

    First of all authenticate into you webapp, then execute a form of your webapp within a html file. The html file contains a copy of the form you want to test. The execution of the html file should fail if there is a CSRF prevention. Example of html file :

    <html>
    <body onload='document.CSRF.submit()'>
    <meta charset="utf-8"/>
    <form action='http://example.com/forms/myform' method='POST' name='CSRF'>
    	<input type='hidden' name='id' value=''>
    	<input type='hidden' name='identifyForm' value='identifyForm'>
    	<input type='hidden' name='variable1' value='0'>	
    	<input type='hidden' name='variable2' value='1'>	
    	<input type="buttonSearch" value="Submit">
    </form>
    
    </body>
    </html>
    
    

    I put a link to owasp testing here :
    https://julienprog.wordpress.com/2017/08/01/what-is-the-difference-between-xss-and-csrf-vulnerabilities/

    Create Unit Test for Drools Ruleflow

    Introduction

    Drools is a Business Rules Management System (BRMS) solution. For more information :
    https://www.drools.org/learn/documentation.html

    The aim of this article will provide information how to realize a Unit test of drools ruleflow using Junit.

    Create a ruleflow

    This link will show you how to create a ruleflow with Drools : https://access.redhat.com/documentation/en-US/JBoss_Enterprise_SOA_Platform/4.3/html/JBoss_Rules_Reference_Guide/ch05s08s03.html

    Let’s say the ruleflow name is “my_basic_ruleflow.rf”. The processName is my_basic_ruleflow.

    Create your Unit Test

    This is a simple Junit Test to launch the processName “my_basic_ruleflow”.
    It will launch the ruleflow and executes all part of the ruleflow.

    
    import org.drools.SystemEventListenerFactory;
    import org.drools.agent.KnowledgeAgent;
    import org.drools.agent.KnowledgeAgentConfiguration;
    import org.drools.agent.KnowledgeAgentFactory;
    import org.drools.definition.KnowledgePackage;
    import org.drools.io.ResourceChangeScannerConfiguration;
    import org.drools.io.ResourceFactory;
    import org.drools.logger.KnowledgeRuntimeLogger;
    import org.drools.logger.KnowledgeRuntimeLoggerFactory;
    import org.drools.runtime.StatefulKnowledgeSession;
    
    public class TestRuleflow {
    
        @Test
        public void TestSimpleRuleflow() {
            try {
                init(); 
    
                final StatefulKnowledgeSession session = kagent.getKnowledgeBase().newStatefulKnowledgeSession();
                String processName = "my_basic_ruleflow";
                session.startProcess(processName);
                session.fireAllRules();
    
         } catch (Exception e) {
                LOG.fatal("Exception : " + e);
         }
    }
    

    The function init() will set properties and load drl and ruleflows. This function will also scan for files and directories with a specific interval.

    
       public final void init() {
            SystemEventListenerFactory.setSystemEventListener(new Log4jSystemEventListener());
    
            try {
    
                final ResourceChangeScannerConfiguration scannerConf = ResourceFactory.getResourceChangeScannerService().newResourceChangeScannerConfiguration();
                scannerConf.setProperty("drools.resource.scanner.interval", scanInterval);
                ResourceFactory.getResourceChangeScannerService().configure(scannerConf);
    
                final KnowledgeAgentConfiguration agentconf = KnowledgeAgentFactory.newKnowledgeAgentConfiguration();
    
                agentconf.setProperty("drools.agent.scanDirectories", "true");
                agentconf.setProperty("drools.agent.newInstance", "true");
                agentconf.setProperty("drools.agent.scanResources", "true");
                agentconf.setProperty("drools.agent.monitorChangeSetEvents", "true");
    
                kagent = KnowledgeAgentFactory.newKnowledgeAgent("my_appli", aconf);
                String configurationName = "file_rules.xml";
    
    kagent.applyChangeSet(ResourceFactory.newClassPathResource(configurationName));
    
            } catch (Exception e) {
                LOG.error("Error");
            }
        }
    }
    

    The configuration file_rules.xml contains all the drl,functions and ruleflows. This configuration example is used only for our unit tests.

    
    
    	
    
     		
     			
     		 	
     		
     		
    
          
    
    

    In production environement we use a PKG ressource. Essentially it is an archive containing all files (DRl,RF,function,etc…).

         
    

    Session ID in the URL : is it a vulnerability ?

    Problem

    I noticed at authentication of several JAVA web applications, the Session ID attached at the url like this http://mywebsite.com/function?value=blah&jsessionid=fgd457dfsd7sde4g4df…

    When first authenticated, the website reveals in the URL a sensitive information “the session ID”. This is a security risk according to OWASP reference.
    http://owasp-aasvs.readthedocs.io/en/latest/requirement-3.6.html
    Indeed if an attacker get the session ID it can lead to the vulnerability of session fixation.

    Scanner like Acunetix will detect is as a security risk too:
    https://www.acunetix.com/vulnerabilities/web/session-token-in-url

    Why the session id is passed to the URL ?

    According to this post, it is by design of JavaEE:

    This isn’t a bug, it’s by design. When a new session is created, the server isn’t sure if the client supports cookies or not, and so it generates a cookie as well as the jsessionid on the URL. When the client comes back the second time, and presents the cookie, the server knows the jsessionid isn’t necessary, and drops it for the rest of the session. If the client comes back with no cookie, then the server needs to continue to use jsessionid rewriting.
    You may not explicitly use cookies, but you do implicitly have a session, and the container needs to track that session.

    https://stackoverflow.com/questions/4079378/why-is-my-session-id-in-my-url

    What is a Session Fixation ?

    Session Fixation is an attack that permits an attacker to hijack a valid user session.
    https://www.owasp.org/index.php/Session_fixation

    This vulnerability is part of Top 10 2013-A2-Broken Authentication and Session Management

    How to test for Session Fixation ?

    https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)

    What is a Session ?

    HTTP protocol and Web Servers are stateless, what it means is that for web server every request is a new request to process and they can’t identify if it’s coming from client that has been sending request previously.

    But sometimes in web applications, we should know who the client is and process the request accordingly. For example, a shopping cart application should know who is sending the request to add an item and in which cart the item has to be added or who is sending checkout request so that it can charge the amount to correct client.

    http://www.journaldev.com/1907/java-session-management-servlet-httpsession-url-rewriting

    This is a link to Servlet specification to understand better the session scope in Java :
    https://jcp.org/aboutJava/communityprocess/final/jsr154/index.html

    SRV.7.3 Session Scope
    HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.

    Solution

    Validate Session Id on server side
    For sometimes i thought that cookies or hidden input fields is the solution against the “session ID” in the url. According to the link below it is a limited solution. Even if it is hard to copy paste cookies and hidden fields it is still possible to retrieve the Session ID information with special tools on unencrypted website.

    Depending of the website it is possible that the sessionId on the URL is not a security risk. If the web application is well designed and the session ID is validated on server side, this is not a problem :
    https://security.stackexchange.com/questions/14093/why-is-passing-the-session-id-as-url-parameter-insecure

    The best practice , in all case is to validate on the server side.
    Other solutions are possible : https://en.wikipedia.org/wiki/Session_fixation

    Use Filter to get rid of Session ID in URL

    Here is an example of using a Filter to get rid of session Id in the URL :
    https://stackoverflow.com/questions/1045668/jsessionid-is-occurred-in-all-urls-which-are-generated-by-jstl-curl-tag/4019476#4019476

    I believe this solution is not necessary if good validation of session ID is done on the server Side.

    Spring Security Framework

    Probably the best solution for JavaEE is to use well tested framework like spring security framework. It is also a default security against other common vulnerabilities.
    The authentication form using spring security provide high security against common vulnerabilities :
    http://docs.spring.io/spring-security/site/docs/current/guides/html5//helloworld-javaconfig.html

    The SecurityConfig will:

    Require authentication to every URL in your application

    Generate a login form for you

    Allow the user with the Username user and the Password password to authenticate with form based authentication

    Allow the user to logout

    CSRF attack prevention

    Session Fixation protection

    Security Header integration

    HTTP Strict Transport Security for secure requests

    X-Content-Type-Options integration

    Cache Control (can be overridden later by your application to allow caching of your static resources)

    X-XSS-Protection integration

    X-Frame-Options integration to help prevent Clickjacking

    Integrate with the following Servlet API methods

    HttpServletRequest#getRemoteUser()

    HttpServletRequest.html#getUserPrincipal()

    HttpServletRequest.html#isUserInRole(java.lang.String)

    HttpServletRequest.html#login(java.lang.String, java.lang.String)

    HttpServletRequest.html#logout()

    What is the difference between XSS and CSRF vulnerabilities ?

    To sum up ,the vulnerability CSRF allows an attacker to use existing functionalities of a web application. In a bank application , an attacker could force a customer to use the existing feature of transferring money to “attacker’s account”.

    In other hand XSS vulnerability allow an attacker to “create new functionalities” on the website using Javascript code :

  • Deface the website
  • Send cookies information to an attacker’s website


  • More detailed explanation of the differences :

    Fundamental difference is that CSRF (Cross-site Request forgery) happens in authenticated sessions when the server trusts the user/browser, while XSS (Cross-Site scripting) doesn’t need an authenticated session and can be exploited when the vulnerable website doesn’t do the basics of validating or escaping input.

    https://www.quora.com/What-is-the-difference-between-XSS-and-CSRF-from-their-execution-perspective

    Owasp made a top-10 of the most common vulnerabilities in web applications.This classification did not change from 2013 to 2017.

  • XSS corresponds to A3 – Cross-site scripting
  • CSRF corresponds to A8- Cross-site request forgery
  • https://www.owasp.org/index.php/Top_10_2013-Top_10

    CSRF prevention

    Basically one solution against this attack is to append a unique identifier to the POST form and let the server verify the identifier. POST form request is usually used to modify data. That’s usually what attacker will try to use when exploiting CSRF vulnerability. GET requests are normally used to retrieve information.

    In Java the framework Spring Security used an unique identifier as anti CSRF technique : https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html

    How to test for CSRF vulnerability ?

    https://www.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005)

    XSS types

    XSS happens when we don’t escape characters and validate input .Typically this vulnerability allows an attacker to send input with the intention to retrieve sensitive information(for example cookie) from the website.

    There are different types of XSS attacks :

  • Stored XSS attacks
  • Reflected XSS attack
  • Stored XSS attacks

    This is the worse XSS vulnerability to have on one website. Indeed if the malicious javascript code is stored in the database, potentially this malicious code could be executed in different webpages of the website.

    Reflected XSS attack

    It is very similar to a stored XSS attack except the malicious code is not stored. The malicious code can be executed on the web browser.

    How to test for XSS vulnerability ?

    Test Reflected XSS attack
    In the following example i have added some Javascript code into the input “info”.If the cookie is written back to the screen , this website is sensitive to XSS attack :

    function.do?info=blah<script>alert(document.cookie)</script>
    

    https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)

    Test Stored XSS attack
    This webpage explained how to test a website for stored XSS vulnerability.
    https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)

    XSS prevention

    Basically input should be checked for special characters. Input should be validated and verified.

  • One solution is to use Regex to escape characters.
  • Another solution is to use existing libraries to avoid XSS. In Java ESAPI seems like a robust library : https://github.com/esapi/esapi-java-legacy
  • How to avoid XSS and allow HTML tags with javascript :
    https://stackoverflow.com/questions/19824338/avoid-xss-and-allow-some-html-tags-with-javascript/19943011#19943011

    Detailed XSS Explanation

    There are many websites explaining in details XSS attacks. This one explained in details the scenarios of attacks :
    https://excess-xss.com/.

    This other website gives an overview of the difference between the XSS types
    http://deadlytechnology.com/web-development/xss/

    Framework Gwt offers some protection

    On one application ,the scanner Zap Proxy did not found any of these vulnerabilities(XSS-CSRF). This webapp used the framework Gwt. By default it has limited protection against these vulnerabilities. But it is possible to test Gwt more in depth for vulnerabilities with this tool : https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset

    How to verify your java libraries have known security vulnerabilities ?

    A maven plugin can check you Java libaries for known vulnerabilities. It is called dependency-check-maven.

    The OWASP Dependency Check utility uses NIST’s National Vulnerability Database (NVD) to identify the vulnerable dependencies, so the list is always up-to-date.

      <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>1.4.4</version>
                    <configuration>
                        <skip>false</skip>
                        <skipTestScope>false</skipTestScope>
                        <skipProvidedScope>false</skipProvidedScope>
                        <skipRuntimeScope>false</skipRuntimeScope>
                    </configuration>
                    <executions>
                        <execution>
                            <goals>
                                <goal>check</goal>
                            </goals>
                        </execution>
                    </executions>
                </plugin>
    

    https://blog.lanyonm.org/articles/2015/12/22/continuous-security-owasp-java-vulnerability-check.html

    Requirements

    You will need the following to use Owasp Maven dependency Check.

  • Maven version superior to 3.1
  • Tips to quickly check only some libraires

    Let’s say you can not compile all the project because some jars/files are missing. Then you cannot use the plugin immediately. You need to compile the project first. If you don’t need to compile the project entirely, you can just create a simple pom with all dependencies to check.

    Example :

    <?xml version="1.0" encoding="UTF-8"?>
    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    
    	<groupId>com.mytest.framework</groupId>
    	<artifactId>mytestframe</artifactId>
    	<packaging>pom</packaging>
    	<name>com.mytest.framework.mytestframe</name>
    	<version>1.0.0-SNAPSHOT</version>
    		
    	<properties>
    		<spring.version>1.0.0.RELEASE</spring.version>
            </properties>
    
    
    	<build>
    		<pluginManagement>
    			<plugins>
    				
    				  <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>1.4.4</version>
                    <configuration>
                        <skip>false</skip>
                        <skipTestScope>false</skipTestScope>
                        <skipProvidedScope>false</skipProvidedScope>
                        <skipRuntimeScope>false</skipRuntimeScope>
                    </configuration>
                    <executions>
                        <execution>
                            <goals>
                                <goal>check</goal>
                            </goals>
                        </execution>
                    </executions>
                   </plugin>
                          </plugins>
            </pluginManagement>
             </build>
    
           <dependencies>
    	   <dependency>
    		<groupId>org.springframework</groupId>
    		<artifactId>spring-webmvc</artifactId>
    		<version>${spring.version}</version>
    	  </dependency>
           </dependencies>
    </project>
    
    

    Check maven dependencies with this command :

    mvn dependency-check:check
    

    Reporting

    Check the link above to use reporting for your continuous integration. Otherwise here is an example of reporting once you launch the maven plugin :

    One or more dependencies were identified with known vulnerabilities in my_project:
     
    logback-core-1.1.3.jar (ch.qos.logback:logback-core:1.1.3, cpe:/a:logback:logback:1.1.3) : CVE-2017-5929
    commons-collections-3.2.1.jar (commons-collections:commons-collections:3.2.1, cpe:/a:apache:commons_collections:3.2.1) : CVE-2015-6420

    Troubleshooting

    If you have the following error

    -Dmaven.multiModuleProjectDirectory system property is not set
    

    then you need to modify the java configuration like this in eclipse :owasp_check_maven