Skip to content

Latest commit

 

History

History
112 lines (90 loc) · 5.54 KB

README.md

File metadata and controls

112 lines (90 loc) · 5.54 KB
Raw

Maven Central License Quality Gate Status

cve-reporter-core

Building blocks to report vulnerabilities found in projects contained in a repository.

It currently supports only Gitlab and local repositories, Maven projects and the Gitlab advisories data base.
But the architecture of the project allows to add more repositories (GitHub, SVN, etc...), build engines (Gradle) and vulnerabilities database.

Why this project?

When Log4J shell vulnerability was discovered, I was responsible for more than a hundred of projects in a company that uses a private Gitlab repository.
I wondered how to list all my impacted projects.
Of course, if I had used best practices, I would have use a pipeline for all my projects to have dependabot running on them. But nobody's perfect ;-)

So, I could have created a Gitlab CI script in all of my projects to run dependabot. And maybe miss some projects ... and for sure leave the vulnerability exposed for a while (until I created all my scripts).
I also wondered how I could help my colleagues ... without touching their projects?

Finally, I found the fastest way was to have an application to list all the vulnerability occurrences found in one's project. Free to him to fix it ... or not.
As I did not find such an application, I decided to create one on my free time.

How to use it

Prerequisites:

  • This library requires Java 8+.
  • For Maven support: Maven have to be installed on the machine that runs this library. The user's settings.xml should be configured to access the artifact repository (Maven Central or your company private repository). You can test Maven is successfully installed using mvn -version command.

Create and run a java program using this library.

If you use Maven as build engine, adds this dependency to your pom

<dependency>
	<groupId>com.fathzer</groupId>
	<artifactId>cve-reporter-core</artifactId>
	<version>2.0.2</version>
</dependency>

Here is an example that lists all Maven projects of your Gitlab repository that are affected by a vulnerability referenced in the Gitlab advisories data base.

import java.io.IOException;
import java.net.Proxy;
import java.util.List;

import com.fathzer.cvereporter.CVEReporter;
import com.fathzer.cvereporter.builder.MavenEngine;
import com.fathzer.cvereporter.cve.DataBase;
import com.fathzer.cvereporter.cve.GitLabAdvisoryDatabase;
import com.fathzer.cvereporter.repository.GitLabRepository;
import com.fathzer.cvereporter.ProjectCVEReport;

public class Reporter {
	public static void main(String[] args) throws IOException {
		// Obtain the gitlab instance's URI and user's token using ... what you want (env variable, argument ...)
		final String gitlabUri = ""; //TODO
		final String token = ""; //TODO
		final GitLabRepository codeRepo = new GitLabRepository(gitlabUri, token);
		try (DataBase db = GitLabAdvisoryDatabase.fromURI(Proxy.NO_PROXY, GitLabAdvisoryDatabase.SOURCE)) {
			final List<ProjectCVEReport> reports = new CVEReporter(codeRepo, new MavenEngine(codeRepo), db).getReports();
			// Do what you want with the reports (example: list projects affected by vulnerabilities)
			reports.stream().filter(r -> r.getAlerts()!=null && !r.getAlerts().isEmpty()).forEach(r -> System.out.println(r.getProject().getPath()));
		}
	}
}

But you may also want to test your local projects on a few CVE set.
Here is an example that lists all Maven projects of your local repository that are affected by Log4J Shell vulnerability, excluding the test's dependencies.

import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.List;

import com.fathzer.cvereporter.CVEReporter;
import com.fathzer.cvereporter.builder.MavenEngine;
import com.fathzer.cvereporter.common.Artifact;
import com.fathzer.cvereporter.common.VersionRange;
import com.fathzer.cvereporter.cve.CVE;
import com.fathzer.cvereporter.cve.DataBase;
import com.fathzer.cvereporter.repository.CodeRepository;
import com.fathzer.cvereporter.repository.LocalRepository;
import com.fathzer.cvereporter.ProjectCVEReport;

public class Log4JShellReporter {
	private static final CVE LOG4J_SHELL = new CVE("CVE-2021-44228", new Artifact("org.apache.logging.log4j", "log4j-core"), new VersionRange("[2.0,2.12.2),[2.13.0,2.16.0)"), "Log4JShell");

	public static void main(String[] args) throws IOException {
		// Obtain the local repository root path using ... what you want (env variable, argument ...)
		final Path root = Paths.get("..."); //TODO
		final CodeRepository codeRepo = new LocalRepository(root);
		try (DataBase db = new DataBase()) {
			db.add(LOG4J_SHELL);
			final CVEReporter reporter = new CVEReporter(codeRepo, new MavenEngine(codeRepo), db);
			reporter.setIgnoreTestDependencies(true);
			final List<ProjectCVEReport> reports = reporter.getReports();
			// Do what you want with the reports
			// For instance, you can serialize the reports as Json using jackson-databind.
		}
	}
}

There's also a SingleProjectRepository is you want to test only a single project, for instance in a JUnit test.

TODO

  • Switch to a more modern http client in order to manage safely proxy authentications?
  • Adds Graddle support ... pull requests are welcome