-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support vulnerability listing for maven central repo artifacts #236
Comments
@arajkumar does maven provide its own security db? If so can you link us to it? This seems like a fine thing to do. You will need to write a package scanner which finds and peeks into .jar files. IIRC jar is just a zip formatted archive so that seems fine. Writing a parser for the xml items would be necessary. |
@ldelossa As now my plan to use CRDA remote matcher for maven, similar to what we are trying for Python in #203. But in the long run we have to plug it with NVD(CPE as matching criteria) for non CRDA use cases.,(similar to https://github.com/jeremylong/DependencyCheck). |
Okay, just keep in mind that we are unable to support client notifications unless we index the database of vulnerabilities. Any CRDA provided results will not provide notifications to clients when contents has changed (since we cannot detect the change) |
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into `META-INF/maven/<groupId>/<artifactId>` which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, ``` META-INF/maven///pom.properties META-INF/maven///pom.xml ``` >[1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: ``` version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app ``` [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <ar.arunprasad@gmail.com>
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into `META-INF/maven/<groupId>/<artifactId>` which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, ``` META-INF/maven///pom.properties META-INF/maven///pom.xml ``` >[1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: ``` version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app ``` [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <ar.arunprasad@gmail.com>
Trivy is using Github Advisory as a data source: https://github.com/advisories?query=ecosystem%3Amaven Gitlab also has public security advisory database for maven: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/tree/master/maven |
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into `META-INF/maven/<groupId>/<artifactId>` which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, ``` META-INF/maven///pom.properties META-INF/maven///pom.xml ``` >[1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: ``` version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app ``` [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into `META-INF/maven/<groupId>/<artifactId>` which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, ``` META-INF/maven///pom.properties META-INF/maven///pom.xml ``` >[1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: ``` version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app ``` [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into META-INF/maven/<groupId>/<artifactId> which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, META-INF/maven///pom.properties META-INF/maven///pom.xml [1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar github.com/aquasecurity/go-dep-parser/pkg/jar has been used to parse jar/war/ear files. Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into META-INF/maven/<groupId>/<artifactId> which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, META-INF/maven///pom.properties META-INF/maven///pom.xml [1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar github.com/aquasecurity/go-dep-parser/pkg/jar has been used to parse jar/war/ear files. Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into META-INF/maven/<groupId>/<artifactId> which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, META-INF/maven///pom.properties META-INF/maven///pom.xml [1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar github.com/aquasecurity/go-dep-parser/pkg/jar has been used to parse jar/war/ear files. Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into META-INF/maven/<groupId>/<artifactId> which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, META-INF/maven///pom.properties META-INF/maven///pom.xml [1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar github.com/aquasecurity/go-dep-parser/pkg/jar has been used to parse jar/war/ear files. Fixes quay#236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
Maven is a package repository for Java. The mvn tool which packs the maven projects usually adds metadata fields(dependency name, version) into META-INF/maven/<groupId>/<artifactId> which could be found on every jar file. There are two files with in every maven jar which would give us the necessary information like package|version, META-INF/maven///pom.properties META-INF/maven///pom.xml [1] The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. One simple use might be to retrieve the version of your application. Operating on the POM file would require you to use some Maven utilities but the properties can be utilized using the standard Java API and look like the following: version=1.0-SNAPSHOT groupId=com.mycompany.app artifactId=my-app [1] https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar github.com/aquasecurity/go-dep-parser/pkg/jar has been used to parse jar/war/ear files. Fixes #236 Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
Maven is a package repository for Java.
The
mvn
tool which packs the maven projects usually adds metadata fields(dependency name, version) intoMETA-INF/maven/<groupId>/<artifactId>
which could be found on everyjar
file.There are two files with in every maven jar which would give us the necessary information like
package|version
,Reference: https://maven.apache.org/guides/getting-started/#how-do-i-add-resources-to-my-jar
The text was updated successfully, but these errors were encountered: