Support vulnerability listing for maven central repo artifacts #236
Comments
|
@arajkumar does maven provide its own security db? If so can you link us to it? This seems like a fine thing to do. You will need to write a package scanner which finds and peeks into .jar files. IIRC jar is just a zip formatted archive so that seems fine. Writing a parser for the xml items would be necessary. |
@ldelossa As now my plan to use CRDA remote matcher for maven, similar to what we are trying for Python in #203. But in the long run we have to plug it with NVD(CPE as matching criteria) for non CRDA use cases.,(similar to https://github.com/jeremylong/DependencyCheck). |
|
Okay, just keep in mind that we are unable to support client notifications unless we index the database of vulnerabilities. Any CRDA provided results will not provide notifications to clients when contents has changed (since we cannot detect the change) |
arajkumar
added a commit
to arajkumar/claircore
that referenced
this issue
Feb 22, 2021
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into `META-INF/maven/<groupId>/<artifactId>` which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, ``` META-INF/maven///pom.properties META-INF/maven///pom.xml ``` >[1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: ``` version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app ``` [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <ar.arunprasad@gmail.com>
arajkumar
added a commit
to arajkumar/claircore
that referenced
this issue
Feb 22, 2021
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into `META-INF/maven/<groupId>/<artifactId>` which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, ``` META-INF/maven///pom.properties META-INF/maven///pom.xml ``` >[1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: ``` version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app ``` [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <ar.arunprasad@gmail.com>
|
Trivy is using Github Advisory as a data source: https://github.com/advisories?query=ecosystem%3Amaven Gitlab also has public security advisory database for maven: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/tree/master/maven |
arajkumar
added a commit
to arajkumar/claircore
that referenced
this issue
Mar 24, 2021
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into `META-INF/maven/<groupId>/<artifactId>` which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, ``` META-INF/maven///pom.properties META-INF/maven///pom.xml ``` >[1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: ``` version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app ``` [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
arajkumar
added a commit
to arajkumar/claircore
that referenced
this issue
Apr 7, 2021
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into `META-INF/maven/<groupId>/<artifactId>` which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, ``` META-INF/maven///pom.properties META-INF/maven///pom.xml ``` >[1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: ``` version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app ``` [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
arajkumar
added a commit
to arajkumar/claircore
that referenced
this issue
Apr 12, 2021
The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into META-INF/maven/<groupId>/<artifactId> which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, META-INF/maven///pom.properties META-INF/maven///pom.xml [1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar github.com/aquasecurity/go-dep-parser/pkg/jar has been used to parse jar/war/ear files. Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
arajkumar
added a commit
to arajkumar/claircore
that referenced
this issue
Apr 15, 2021
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into META-INF/maven/<groupId>/<artifactId> which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, META-INF/maven///pom.properties META-INF/maven///pom.xml [1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar github.com/aquasecurity/go-dep-parser/pkg/jar has been used to parse jar/war/ear files. Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
arajkumar
added a commit
to arajkumar/claircore
that referenced
this issue
Apr 15, 2021
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into META-INF/maven/<groupId>/<artifactId> which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, META-INF/maven///pom.properties META-INF/maven///pom.xml [1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar github.com/aquasecurity/go-dep-parser/pkg/jar has been used to parse jar/war/ear files. Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
arajkumar
added a commit
to arajkumar/claircore
that referenced
this issue
Apr 16, 2021
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into META-INF/maven/<groupId>/<artifactId> which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, META-INF/maven///pom.properties META-INF/maven///pom.xml [1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar github.com/aquasecurity/go-dep-parser/pkg/jar has been used to parse jar/war/ear files. Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
ldelossa
pushed a commit
that referenced
this issue
Apr 16, 2021
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into META-INF/maven/<groupId>/<artifactId> which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, META-INF/maven///pom.properties META-INF/maven///pom.xml [1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar github.com/aquasecurity/go-dep-parser/pkg/jar has been used to parse jar/war/ear files. Fixes #236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Maven is a package repository for Java.
The
mvntool which packs the maven projects usually adds metadata fields(dependency name, version) intoMETA-INF/maven/<groupId>/<artifactId>which could be found on everyjarfile.There are two files with in every maven jar which would give us the necessary information like
package|version,Reference: https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar
The text was updated successfully, but these errors were encountered: