├── .github
└── workflows
│ └── github-actions-test.yml
├── .gitignore
├── .mvn
└── wrapper
│ ├── maven-wrapper.jar
│ └── maven-wrapper.properties
├── CHANGES
├── LICENSE
├── README.md
├── mvn-repo
└── com
│ └── immomo
│ └── momosec
│ ├── maven-metadata.xml
│ ├── maven-metadata.xml.md5
│ ├── maven-metadata.xml.sha1
│ └── mosec-maven-plugin
│ ├── 1.0.10
│ ├── mosec-maven-plugin-1.0.10.jar
│ ├── mosec-maven-plugin-1.0.10.jar.md5
│ ├── mosec-maven-plugin-1.0.10.jar.sha1
│ ├── mosec-maven-plugin-1.0.10.pom
│ ├── mosec-maven-plugin-1.0.10.pom.md5
│ └── mosec-maven-plugin-1.0.10.pom.sha1
│ ├── 1.0.7
│ ├── mosec-maven-plugin-1.0.7.jar
│ ├── mosec-maven-plugin-1.0.7.jar.md5
│ ├── mosec-maven-plugin-1.0.7.jar.sha1
│ ├── mosec-maven-plugin-1.0.7.pom
│ ├── mosec-maven-plugin-1.0.7.pom.md5
│ └── mosec-maven-plugin-1.0.7.pom.sha1
│ ├── 1.0.8
│ ├── mosec-maven-plugin-1.0.8.jar
│ ├── mosec-maven-plugin-1.0.8.jar.md5
│ ├── mosec-maven-plugin-1.0.8.jar.sha1
│ ├── mosec-maven-plugin-1.0.8.pom
│ ├── mosec-maven-plugin-1.0.8.pom.md5
│ └── mosec-maven-plugin-1.0.8.pom.sha1
│ ├── 1.0.9
│ ├── mosec-maven-plugin-1.0.9.jar
│ ├── mosec-maven-plugin-1.0.9.jar.md5
│ ├── mosec-maven-plugin-1.0.9.jar.sha1
│ ├── mosec-maven-plugin-1.0.9.pom
│ ├── mosec-maven-plugin-1.0.9.pom.md5
│ └── mosec-maven-plugin-1.0.9.pom.sha1
│ ├── maven-metadata.xml
│ ├── maven-metadata.xml.md5
│ └── maven-metadata.xml.sha1
├── mvnw
├── mvnw.cmd
├── pom.xml
├── src
├── main
│ └── java
│ │ └── com
│ │ └── immomo
│ │ └── momosec
│ │ └── maven
│ │ └── plugins
│ │ ├── Constants.java
│ │ ├── HttpClientHelper.java
│ │ ├── MosecLogHelper.java
│ │ ├── MosecTest.java
│ │ ├── ProjectDependencyCollector.java
│ │ ├── Renderer.java
│ │ └── exceptions
│ │ ├── FoundVulnerableException.java
│ │ └── NetworkErrorException.java
└── test
│ ├── java
│ └── com
│ │ └── immomo
│ │ └── momosec
│ │ └── maven
│ │ └── plugins
│ │ ├── TestMosecTest.java
│ │ ├── TestProjectDependencyCollector.java
│ │ ├── TestRenderer.java
│ │ └── stubs
│ │ ├── MyTestProjectSettingsStub.java
│ │ ├── MyTestProjectStub.java
│ │ └── MyTestProjectSystemSessionStub.java
│ └── resources
│ ├── mockito-extensions
│ └── org.mockito.plugins.MockMaker
│ └── projects
│ ├── empty-dir
│ └── foo
│ ├── module-project
│ ├── dumpDepFile.txt
│ ├── moduleA
│ │ ├── moduleSubA
│ │ │ └── pom.xml
│ │ └── pom.xml
│ ├── moduleB
│ │ └── pom.xml
│ └── pom.xml
│ ├── valid-project
│ ├── failOnVulnWithFalsePom.xml
│ ├── failOnVulnWithTruePom.xml
│ ├── onlyAnalyzeWithEndpointPom.xml
│ ├── onlyAnalyzeWithoutEndpointPom.xml
│ └── pom.xml
│ └── vuln-project
│ └── pom.xml
└── static
├── remote-configuration.jpg
└── usage.jpg
/.github/workflows/github-actions-test.yml:
--------------------------------------------------------------------------------
1 | name: Maven Test
2 | on: [push]
3 | jobs:
4 | run_tests:
5 | runs-on: ubuntu-latest
6 | steps:
7 | - name: Checkout
8 | uses: actions/checkout@v2
9 | - name: Set up JDK 11
10 | uses: actions/setup-java@v2
11 | with:
12 | java-version: '11'
13 | distribution: 'adopt'
14 | - name: Run tests with Maen
15 | run: mvn -B test
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *.class
2 |
3 | # Mobile Tools for Java (J2ME)
4 | .mtj.tmp/
5 |
6 | # Exclude mvn-repo
7 | !/mvn-repo
8 |
9 | # Package Files #
10 | *.war
11 | *.ear
12 |
13 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
14 | hs_err_pid*
15 |
16 | # Maven
17 | target/
18 | pom.xml.tag
19 | pom.xml.releaseBackup
20 | pom.xml.versionsBackup
21 | pom.xml.next
22 | release.properties
23 | dependency-reduced-pom.xml
24 | buildNumber.properties
25 | .mvn/timing.properties
26 |
27 | # Exclude maven wrapper
28 | !/.mvn/wrapper/maven-wrapper.jar
29 |
30 | **/.idea
31 | **/out/
32 | **/.idea_modules/
33 | *.iml
34 |
--------------------------------------------------------------------------------
/.mvn/wrapper/maven-wrapper.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/momosecurity/mosec-maven-plugin/8be2bc7765759b2bf13f6dec5de45cb21b2ed66a/.mvn/wrapper/maven-wrapper.jar
--------------------------------------------------------------------------------
/.mvn/wrapper/maven-wrapper.properties:
--------------------------------------------------------------------------------
1 | distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip
2 |
--------------------------------------------------------------------------------
/CHANGES:
--------------------------------------------------------------------------------
1 | Changelog
2 |
3 | =========
4 |
5 | Version 1.0.10
6 |
7 | - feature Add "result" to dump file after inspect
8 |
9 | Version 1.0.9
10 |
11 | - feature Add parent and modules fields to dump file
12 | - feature `-DonlyAnalyze` allow not have `endpoint`
13 | - bugfix Fix `-DoutputDepToFile` only dump last module dependencies bug
14 |
15 | Version 1.0.8
16 |
17 | - feature dump dependencies tree to file include / exclude scan result
18 | - upgrade upgrade org.apache.httpcomponents:httpclient to 4.5.13
19 |
20 | Version 1.0.7
21 |
22 | - bugfix NPE on outputDepToFile
23 | - feature only analyze mode
24 | - feature dump dependencies tree to file
25 |
26 | Version 1.0.6
27 |
28 | - feature change simple-json to gson
29 | - feature default not include provided scope dependencies
30 |
31 | Version 1.0.5
32 |
33 | - feature default BUILD FAIL when found vulnerable
34 |
35 | Version 1.0.4
36 |
37 | - feature BUILD FAIL when found vulnerable && parameter support
38 | - remove endpoint and includeProvidedDependencies parameters
39 |
40 | Version 1.0.3
41 |
42 | - feature throw MojoFailureException when Dependency Collection Error
43 |
44 | Version 1.0.2
45 |
46 | - feature warning detail add title and cve
47 |
48 | Version 1.0.1
49 |
50 | - feature add onlyProvenance parameter
51 | - feature add http timeout
52 |
53 | Version 1.0.0
54 |
55 | - Init
56 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 |
2 | Apache License
3 | Version 2.0, January 2004
4 | https://www.apache.org/licenses/
5 |
6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
7 |
8 | 1. Definitions.
9 |
10 | "License" shall mean the terms and conditions for use, reproduction,
11 | and distribution as defined by Sections 1 through 9 of this document.
12 |
13 | "Licensor" shall mean the copyright owner or entity authorized by
14 | the copyright owner that is granting the License.
15 |
16 | "Legal Entity" shall mean the union of the acting entity and all
17 | other entities that control, are controlled by, or are under common
18 | control with that entity. For the purposes of this definition,
19 | "control" means (i) the power, direct or indirect, to cause the
20 | direction or management of such entity, whether by contract or
21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
22 | outstanding shares, or (iii) beneficial ownership of such entity.
23 |
24 | "You" (or "Your") shall mean an individual or Legal Entity
25 | exercising permissions granted by this License.
26 |
27 | "Source" form shall mean the preferred form for making modifications,
28 | including but not limited to software source code, documentation
29 | source, and configuration files.
30 |
31 | "Object" form shall mean any form resulting from mechanical
32 | transformation or translation of a Source form, including but
33 | not limited to compiled object code, generated documentation,
34 | and conversions to other media types.
35 |
36 | "Work" shall mean the work of authorship, whether in Source or
37 | Object form, made available under the License, as indicated by a
38 | copyright notice that is included in or attached to the work
39 | (an example is provided in the Appendix below).
40 |
41 | "Derivative Works" shall mean any work, whether in Source or Object
42 | form, that is based on (or derived from) the Work and for which the
43 | editorial revisions, annotations, elaborations, or other modifications
44 | represent, as a whole, an original work of authorship. For the purposes
45 | of this License, Derivative Works shall not include works that remain
46 | separable from, or merely link (or bind by name) to the interfaces of,
47 | the Work and Derivative Works thereof.
48 |
49 | "Contribution" shall mean any work of authorship, including
50 | the original version of the Work and any modifications or additions
51 | to that Work or Derivative Works thereof, that is intentionally
52 | submitted to Licensor for inclusion in the Work by the copyright owner
53 | or by an individual or Legal Entity authorized to submit on behalf of
54 | the copyright owner. For the purposes of this definition, "submitted"
55 | means any form of electronic, verbal, or written communication sent
56 | to the Licensor or its representatives, including but not limited to
57 | communication on electronic mailing lists, source code control systems,
58 | and issue tracking systems that are managed by, or on behalf of, the
59 | Licensor for the purpose of discussing and improving the Work, but
60 | excluding communication that is conspicuously marked or otherwise
61 | designated in writing by the copyright owner as "Not a Contribution."
62 |
63 | "Contributor" shall mean Licensor and any individual or Legal Entity
64 | on behalf of whom a Contribution has been received by Licensor and
65 | subsequently incorporated within the Work.
66 |
67 | 2. Grant of Copyright License. Subject to the terms and conditions of
68 | this License, each Contributor hereby grants to You a perpetual,
69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
70 | copyright license to reproduce, prepare Derivative Works of,
71 | publicly display, publicly perform, sublicense, and distribute the
72 | Work and such Derivative Works in Source or Object form.
73 |
74 | 3. Grant of Patent License. Subject to the terms and conditions of
75 | this License, each Contributor hereby grants to You a perpetual,
76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
77 | (except as stated in this section) patent license to make, have made,
78 | use, offer to sell, sell, import, and otherwise transfer the Work,
79 | where such license applies only to those patent claims licensable
80 | by such Contributor that are necessarily infringed by their
81 | Contribution(s) alone or by combination of their Contribution(s)
82 | with the Work to which such Contribution(s) was submitted. If You
83 | institute patent litigation against any entity (including a
84 | cross-claim or counterclaim in a lawsuit) alleging that the Work
85 | or a Contribution incorporated within the Work constitutes direct
86 | or contributory patent infringement, then any patent licenses
87 | granted to You under this License for that Work shall terminate
88 | as of the date such litigation is filed.
89 |
90 | 4. Redistribution. You may reproduce and distribute copies of the
91 | Work or Derivative Works thereof in any medium, with or without
92 | modifications, and in Source or Object form, provided that You
93 | meet the following conditions:
94 |
95 | (a) You must give any other recipients of the Work or
96 | Derivative Works a copy of this License; and
97 |
98 | (b) You must cause any modified files to carry prominent notices
99 | stating that You changed the files; and
100 |
101 | (c) You must retain, in the Source form of any Derivative Works
102 | that You distribute, all copyright, patent, trademark, and
103 | attribution notices from the Source form of the Work,
104 | excluding those notices that do not pertain to any part of
105 | the Derivative Works; and
106 |
107 | (d) If the Work includes a "NOTICE" text file as part of its
108 | distribution, then any Derivative Works that You distribute must
109 | include a readable copy of the attribution notices contained
110 | within such NOTICE file, excluding those notices that do not
111 | pertain to any part of the Derivative Works, in at least one
112 | of the following places: within a NOTICE text file distributed
113 | as part of the Derivative Works; within the Source form or
114 | documentation, if provided along with the Derivative Works; or,
115 | within a display generated by the Derivative Works, if and
116 | wherever such third-party notices normally appear. The contents
117 | of the NOTICE file are for informational purposes only and
118 | do not modify the License. You may add Your own attribution
119 | notices within Derivative Works that You distribute, alongside
120 | or as an addendum to the NOTICE text from the Work, provided
121 | that such additional attribution notices cannot be construed
122 | as modifying the License.
123 |
124 | You may add Your own copyright statement to Your modifications and
125 | may provide additional or different license terms and conditions
126 | for use, reproduction, or distribution of Your modifications, or
127 | for any such Derivative Works as a whole, provided Your use,
128 | reproduction, and distribution of the Work otherwise complies with
129 | the conditions stated in this License.
130 |
131 | 5. Submission of Contributions. Unless You explicitly state otherwise,
132 | any Contribution intentionally submitted for inclusion in the Work
133 | by You to the Licensor shall be under the terms and conditions of
134 | this License, without any additional terms or conditions.
135 | Notwithstanding the above, nothing herein shall supersede or modify
136 | the terms of any separate license agreement you may have executed
137 | with Licensor regarding such Contributions.
138 |
139 | 6. Trademarks. This License does not grant permission to use the trade
140 | names, trademarks, service marks, or product names of the Licensor,
141 | except as required for reasonable and customary use in describing the
142 | origin of the Work and reproducing the content of the NOTICE file.
143 |
144 | 7. Disclaimer of Warranty. Unless required by applicable law or
145 | agreed to in writing, Licensor provides the Work (and each
146 | Contributor provides its Contributions) on an "AS IS" BASIS,
147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 | implied, including, without limitation, any warranties or conditions
149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 | PARTICULAR PURPOSE. You are solely responsible for determining the
151 | appropriateness of using or redistributing the Work and assume any
152 | risks associated with Your exercise of permissions under this License.
153 |
154 | 8. Limitation of Liability. In no event and under no legal theory,
155 | whether in tort (including negligence), contract, or otherwise,
156 | unless required by applicable law (such as deliberate and grossly
157 | negligent acts) or agreed to in writing, shall any Contributor be
158 | liable to You for damages, including any direct, indirect, special,
159 | incidental, or consequential damages of any character arising as a
160 | result of this License or out of the use or inability to use the
161 | Work (including but not limited to damages for loss of goodwill,
162 | work stoppage, computer failure or malfunction, or any and all
163 | other commercial damages or losses), even if such Contributor
164 | has been advised of the possibility of such damages.
165 |
166 | 9. Accepting Warranty or Additional Liability. While redistributing
167 | the Work or Derivative Works thereof, You may choose to offer,
168 | and charge a fee for, acceptance of support, warranty, indemnity,
169 | or other liability obligations and/or rights consistent with this
170 | License. However, in accepting such obligations, You may act only
171 | on Your own behalf and on Your sole responsibility, not on behalf
172 | of any other Contributor, and only if You agree to indemnify,
173 | defend, and hold each Contributor harmless for any liability
174 | incurred by, or claims asserted against, such Contributor by reason
175 | of your accepting any such warranty or additional liability.
176 |
177 | END OF TERMS AND CONDITIONS
178 |
179 | Copyright 2020 momosecurity.
180 |
181 | Licensed under the Apache License, Version 2.0 (the "License");
182 | you may not use this file except in compliance with the License.
183 | You may obtain a copy of the License at
184 |
185 | http://www.apache.org/licenses/LICENSE-2.0
186 |
187 | Unless required by applicable law or agreed to in writing, software
188 | distributed under the License is distributed on an "AS IS" BASIS,
189 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
190 | See the License for the specific language governing permissions and
191 | limitations under the License.
192 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # MOSEC-MAVEN-PLUGIN
2 |
3 | 用于检测maven项目的第三方依赖组件是否存在安全漏洞。
4 |
5 | 该项目是基于 [snyk-maven-plugin](https://github.com/snyk/snyk-maven-plugin.git) 的二次开发。
6 |
7 |
8 |
9 | ## 关于我们
10 |
11 | Website:https://security.immomo.com
12 |
13 | WeChat:
14 |
15 | 
16 |
17 |
18 |
19 | ## 版本要求
20 |
21 | Maven >= 3.1
22 |
23 |
24 |
25 | ## 安装
26 |
27 | #### 向pom.xml中添加plugin仓库 (项目级安装)
28 |
29 | ```xml
30 |
31 |
32 |
33 |
34 | gh
35 | https://raw.githubusercontent.com/momosecurity/mosec-maven-plugin/master/mvn-repo/
36 |
37 |
38 | ```
39 |
40 | #### 向maven配置中添加plugin仓库 (全局安装)
41 |
42 | ```xml
43 |
44 |
45 |
46 |
47 | com.immomo.momosec
48 |
49 |
50 |
51 |
52 | momo-plugin
53 |
54 |
55 | gh
56 | https://raw.githubusercontent.com/momosecurity/mosec-maven-plugin/master/mvn-repo/
57 |
58 |
59 |
60 |
61 |
62 |
63 | momo-plugin
64 |
65 | ```
66 |
67 |
68 |
69 | ## 使用
70 |
71 | 首先运行 [MOSEC-X-PLUGIN Backend](https://github.com/momosecurity/mosec-x-plugin-backend.git)
72 |
73 | #### 命令行使用
74 | ```
75 | > cd your_maven_project_dir/
76 |
77 | > MOSEC_ENDPOINT=http://127.0.0.1:9000/api/plugin \
78 | mvn com.immomo.momosec:mosec-maven-plugin:1.0.7:test \
79 | -DonlyProvenance=true \
80 | -Dseverity=High
81 |
82 | // 或简化方式
83 |
84 | > MOSEC_ENDPOINT=http://127.0.0.1:9000/api/plugin \
85 | mvn mosec:test -DonlyProvenance=true -Dseverity=High
86 | ```
87 |
88 | #### 项目中使用
89 |
90 | ```xml
91 |
92 |
93 |
94 |
95 | com.immomo.momosec
96 | mosec-maven-plugin
97 | 1.0.8
98 |
99 |
100 | test
101 |
102 | test
103 |
104 |
105 |
106 |
107 | http://127.0.0.1:9000/api/plugin
108 | High
109 | true
110 | true
111 |
112 |
113 |
114 | ```
115 |
116 |
117 |
118 | ## 帮助
119 |
120 | ```shell script
121 | > mvn mosec:help -Ddetail=true
122 |
123 | mosec:test
124 |
125 | Available parameters:
126 |
127 | endpoint
128 | 上报API
129 | User property: endpoint
130 |
131 | failOnVuln (Default: true)
132 | 发现漏洞即编译失败
133 | User property: failOnVuln
134 |
135 | includeProvidedDependency (Default: false)
136 | 是否包含Provided Scope依赖
137 | User property: includeProvidedDependency
138 |
139 | onlyAnalyze (Default: false)
140 | 仅分析依赖,不上报
141 | User property: onlyAnalyze
142 |
143 | onlyProvenance (Default: false)
144 | 仅检查直接依赖
145 | User property: onlyProvenance
146 |
147 | outputDepToFile (Default: )
148 | 输出依赖树到文件。设置-DonlyAnalyze=true仅输出依赖树,否则输出依赖树及漏洞检查结果
149 | User property: outputDepToFile
150 |
151 | severityLevel (Default: High)
152 | 威胁等级 [High|Medium|Low]
153 | User property: severity
154 | ```
155 |
156 |
157 |
158 | ## 使用效果
159 |
160 | 以 src/test/resources/projects/vuln-project 项目为例。
161 |
162 | [WARNING] 部分给出漏洞警告,Path: 为漏洞依赖链,Fix version 为组件安全版本。
163 |
164 | 程序返回值为1,表示发现漏洞。返回值为0,即为未发现问题。
165 |
166 | 
167 |
168 |
169 |
170 | ## 检测原理
171 |
172 | MOSEC-MAVEN-PLUGIN使用`org.apache.maven:maven-core`组件中提供的`aether-api`提取依赖并构建依赖树。
173 |
174 | 该方法可以准确提取maven项目所使用的依赖,以及确定的依赖版本。
175 |
176 | 最终依赖树会交由 [MOSEC-X-PLUGIN-BACKEND](https://github.com/momosecurity/mosec-x-plugin-backend.git) 检测服务进行检测,并返回结果。
177 |
178 | 相关数据结构请参考 MOSEC-X-PLUGIN-BACKEND [README.md](https://github.com/momosecurity/mosec-x-plugin-backend/blob/master/README.md).
179 |
180 |
181 |
182 | ## 开发
183 |
184 | #### Intellij 远程调试 Maven 插件
185 |
186 | 1.将mosec-maven-plugin拉取至本地仓库
187 |
188 | 2.git clone mosec-maven-plugin 源码
189 |
190 | 3.Intellij 打开mosec-maven-plugin项目,新建 Remote Configuration 并填入如下信息
191 |
192 | 
193 |
194 | 4.在另一个maven工程中执行如下命令
195 |
196 | ```shell script
197 | > mvnDebug com.immomo.momosec:mosec-maven-plugin:1.0.8:test
198 | ```
199 |
200 | 5.回到Intellij中,下断点,开始Debug
201 |
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/maven-metadata.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Mosec Maven Plugin
6 | mosec
7 | mosec-maven-plugin
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/maven-metadata.xml.md5:
--------------------------------------------------------------------------------
1 | eca404dcb7ed57c74cd03e4906579146
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/maven-metadata.xml.sha1:
--------------------------------------------------------------------------------
1 | 3987d2c89456b348a2cc02b689376c4234a8b177
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/momosecurity/mosec-maven-plugin/8be2bc7765759b2bf13f6dec5de45cb21b2ed66a/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.jar
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.jar.md5:
--------------------------------------------------------------------------------
1 | 37a4ba5984e49a3e3d223b1cc4e4155c
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.jar.sha1:
--------------------------------------------------------------------------------
1 | 46bc283f96e383b3f49dc497f4dae97156b4311a
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.pom:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 |
6 | 3.1.0
7 |
8 |
9 | com.immomo.momosec
10 | mosec-maven-plugin
11 | 1.0.10
12 | maven-plugin
13 |
14 | Mosec Maven Plugin
15 | 用于检测Maven项目的第三方依赖组件是否存在安全漏洞
16 |
17 |
18 |
19 | retanoj
20 | mmsrc@immomo.com
21 |
22 |
23 |
24 |
25 | UTF-8
26 | 3.3.9
27 |
28 |
29 |
30 |
31 | org.apache.maven
32 | maven-core
33 | ${mavenVersion}
34 |
35 |
36 | org.apache.maven.plugin-tools
37 | maven-plugin-annotations
38 | 3.2
39 | provided
40 |
41 |
42 | com.google.code.gson
43 | gson
44 | 2.8.5
45 |
46 |
47 | org.apache.httpcomponents
48 | httpclient
49 | 4.5.13
50 |
51 |
52 |
53 |
54 | org.apache.maven.plugin-testing
55 | maven-plugin-testing-harness
56 | 3.3.0
57 | test
58 |
59 |
60 | junit
61 | junit
62 | 4.13
63 | test
64 |
65 |
66 | org.mockito
67 | mockito-core
68 | 2.28.2
69 | test
70 |
71 |
72 | org.powermock
73 | powermock-api-mockito2
74 | 2.0.9
75 |
76 |
77 | org.powermock
78 | powermock-module-junit4
79 | 2.0.9
80 |
81 |
82 | org.apache.maven
83 | maven-compat
84 | 3.3.9
85 | test
86 |
87 |
88 |
89 |
90 |
91 |
92 | org.apache.maven.plugins
93 | maven-plugin-plugin
94 | 3.5
95 |
96 | mosec
97 | true
98 |
99 |
100 |
101 | mojo-descriptor
102 |
103 | descriptor
104 |
105 |
106 |
107 | help-goal
108 |
109 | helpmojo
110 |
111 |
112 |
113 |
114 |
115 |
116 | org.apache.maven.plugins
117 | maven-compiler-plugin
118 | 3.6.2
119 |
120 | 1.8
121 | 1.8
122 | -Xlint
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 | internal
131 | file://mvn-repo
132 |
133 |
134 |
135 |
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.pom.md5:
--------------------------------------------------------------------------------
1 | 9bf2b25d67d575d0b4fac08655b4fbfb
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.pom.sha1:
--------------------------------------------------------------------------------
1 | 0e8fbe6e1a3b829903f36a9f125b0508a8c2cc6c
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.7/mosec-maven-plugin-1.0.7.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/momosecurity/mosec-maven-plugin/8be2bc7765759b2bf13f6dec5de45cb21b2ed66a/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.7/mosec-maven-plugin-1.0.7.jar
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.7/mosec-maven-plugin-1.0.7.jar.md5:
--------------------------------------------------------------------------------
1 | c178143b35bc02dd0507e4d6e18b0597
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.7/mosec-maven-plugin-1.0.7.jar.sha1:
--------------------------------------------------------------------------------
1 | 3c8bf990409dc02121eb8e3f0195d47d6ea78874
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.7/mosec-maven-plugin-1.0.7.pom:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 |
6 | 3.1.0
7 |
8 |
9 | com.immomo.momosec
10 | mosec-maven-plugin
11 | 1.0.7
12 | maven-plugin
13 |
14 | Mosec Maven Plugin
15 | 用于检测Maven项目的第三方依赖组件是否存在安全漏洞
16 |
17 |
18 |
19 | retanoj
20 | mmsrc@immomo.com
21 |
22 |
23 |
24 |
25 | UTF-8
26 | 3.3.9
27 |
28 |
29 |
30 |
31 | org.apache.maven
32 | maven-core
33 | ${mavenVersion}
34 |
35 |
36 | org.apache.maven.plugin-tools
37 | maven-plugin-annotations
38 | 3.2
39 | provided
40 |
41 |
42 | com.google.code.gson
43 | gson
44 | 2.8.5
45 |
46 |
47 | org.apache.httpcomponents
48 | httpclient
49 | 4.5.10
50 |
51 |
52 |
53 |
54 | org.apache.maven.plugin-testing
55 | maven-plugin-testing-harness
56 | 3.3.0
57 | test
58 |
59 |
60 | junit
61 | junit
62 | 4.13
63 | test
64 |
65 |
66 | org.mockito
67 | mockito-core
68 | 2.28.2
69 | test
70 |
71 |
72 | org.apache.maven
73 | maven-compat
74 | 3.3.9
75 | test
76 |
77 |
78 |
79 |
80 |
81 |
82 | org.apache.maven.plugins
83 | maven-plugin-plugin
84 | 3.5
85 |
86 | mosec
87 | true
88 |
89 |
90 |
91 | mojo-descriptor
92 |
93 | descriptor
94 |
95 |
96 |
97 | help-goal
98 |
99 | helpmojo
100 |
101 |
102 |
103 |
104 |
105 |
106 | org.apache.maven.plugins
107 | maven-compiler-plugin
108 | 3.6.2
109 |
110 | 1.8
111 | 1.8
112 | -Xlint
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 | internal
121 | file://mvn-repo
122 |
123 |
124 |
125 |
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.7/mosec-maven-plugin-1.0.7.pom.md5:
--------------------------------------------------------------------------------
1 | 06b91695fcec13d0b3e94c4da6d2f80c
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.7/mosec-maven-plugin-1.0.7.pom.sha1:
--------------------------------------------------------------------------------
1 | e83b55369f04f3ab9a12ad503e53a87d8f246a63
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.8/mosec-maven-plugin-1.0.8.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/momosecurity/mosec-maven-plugin/8be2bc7765759b2bf13f6dec5de45cb21b2ed66a/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.8/mosec-maven-plugin-1.0.8.jar
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.8/mosec-maven-plugin-1.0.8.jar.md5:
--------------------------------------------------------------------------------
1 | eaab7df555e60240e4fa10a6009c8397
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.8/mosec-maven-plugin-1.0.8.jar.sha1:
--------------------------------------------------------------------------------
1 | a498dbf4f6979fb752d846d6321b2967a0997bf7
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.8/mosec-maven-plugin-1.0.8.pom:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 |
6 | 3.1.0
7 |
8 |
9 | com.immomo.momosec
10 | mosec-maven-plugin
11 | 1.0.8
12 | maven-plugin
13 |
14 | Mosec Maven Plugin
15 | 用于检测Maven项目的第三方依赖组件是否存在安全漏洞
16 |
17 |
18 |
19 | retanoj
20 | mmsrc@immomo.com
21 |
22 |
23 |
24 |
25 | UTF-8
26 | 3.3.9
27 |
28 |
29 |
30 |
31 | org.apache.maven
32 | maven-core
33 | ${mavenVersion}
34 |
35 |
36 | org.apache.maven.plugin-tools
37 | maven-plugin-annotations
38 | 3.2
39 | provided
40 |
41 |
42 | com.google.code.gson
43 | gson
44 | 2.8.5
45 |
46 |
47 | org.apache.httpcomponents
48 | httpclient
49 | 4.5.13
50 |
51 |
52 |
53 |
54 | org.apache.maven.plugin-testing
55 | maven-plugin-testing-harness
56 | 3.3.0
57 | test
58 |
59 |
60 | junit
61 | junit
62 | 4.13
63 | test
64 |
65 |
66 | org.mockito
67 | mockito-core
68 | 2.28.2
69 | test
70 |
71 |
72 | org.apache.maven
73 | maven-compat
74 | 3.3.9
75 | test
76 |
77 |
78 |
79 |
80 |
81 |
82 | org.apache.maven.plugins
83 | maven-plugin-plugin
84 | 3.5
85 |
86 | mosec
87 | true
88 |
89 |
90 |
91 | mojo-descriptor
92 |
93 | descriptor
94 |
95 |
96 |
97 | help-goal
98 |
99 | helpmojo
100 |
101 |
102 |
103 |
104 |
105 |
106 | org.apache.maven.plugins
107 | maven-compiler-plugin
108 | 3.6.2
109 |
110 | 1.8
111 | 1.8
112 | -Xlint
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 | internal
121 | file://mvn-repo
122 |
123 |
124 |
125 |
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.8/mosec-maven-plugin-1.0.8.pom.md5:
--------------------------------------------------------------------------------
1 | a6c1f8d0cffbb61f3287950aa4cf1844
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.8/mosec-maven-plugin-1.0.8.pom.sha1:
--------------------------------------------------------------------------------
1 | 085580bdcd35aec853378a0752979b5a94352b5e
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/momosecurity/mosec-maven-plugin/8be2bc7765759b2bf13f6dec5de45cb21b2ed66a/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.jar
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.jar.md5:
--------------------------------------------------------------------------------
1 | b2f9266d0f2b2a87e5e177eaecd35543
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.jar.sha1:
--------------------------------------------------------------------------------
1 | 5b2151f84cee0197018a567674db051e94dfd334
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.pom:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 |
6 | 3.1.0
7 |
8 |
9 | com.immomo.momosec
10 | mosec-maven-plugin
11 | 1.0.9
12 | maven-plugin
13 |
14 | Mosec Maven Plugin
15 | 用于检测Maven项目的第三方依赖组件是否存在安全漏洞
16 |
17 |
18 |
19 | retanoj
20 | mmsrc@immomo.com
21 |
22 |
23 |
24 |
25 | UTF-8
26 | 3.3.9
27 |
28 |
29 |
30 |
31 | org.apache.maven
32 | maven-core
33 | ${mavenVersion}
34 |
35 |
36 | org.apache.maven.plugin-tools
37 | maven-plugin-annotations
38 | 3.2
39 | provided
40 |
41 |
42 | com.google.code.gson
43 | gson
44 | 2.8.5
45 |
46 |
47 | org.apache.httpcomponents
48 | httpclient
49 | 4.5.13
50 |
51 |
52 |
53 |
54 | org.apache.maven.plugin-testing
55 | maven-plugin-testing-harness
56 | 3.3.0
57 | test
58 |
59 |
60 | junit
61 | junit
62 | 4.13
63 | test
64 |
65 |
66 | org.mockito
67 | mockito-core
68 | 2.28.2
69 | test
70 |
71 |
72 | org.apache.maven
73 | maven-compat
74 | 3.3.9
75 | test
76 |
77 |
78 |
79 |
80 |
81 |
82 | org.apache.maven.plugins
83 | maven-plugin-plugin
84 | 3.5
85 |
86 | mosec
87 | true
88 |
89 |
90 |
91 | mojo-descriptor
92 |
93 | descriptor
94 |
95 |
96 |
97 | help-goal
98 |
99 | helpmojo
100 |
101 |
102 |
103 |
104 |
105 |
106 | org.apache.maven.plugins
107 | maven-compiler-plugin
108 | 3.6.2
109 |
110 | 1.8
111 | 1.8
112 | -Xlint
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 | internal
121 | file://mvn-repo
122 |
123 |
124 |
125 |
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.pom.md5:
--------------------------------------------------------------------------------
1 | 591d374bf6de6cd28897bdbf4360b454
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.pom.sha1:
--------------------------------------------------------------------------------
1 | 5f6abdce51651103068ef2004f5661f827e1e94d
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/maven-metadata.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | com.immomo.momosec
4 | mosec-maven-plugin
5 |
6 | 1.0.10
7 | 1.0.10
8 |
9 | 1.0.7
10 | 1.0.8
11 | 1.0.9
12 | 1.0.10
13 |
14 | 20220412023537
15 |
16 |
17 |
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/maven-metadata.xml.md5:
--------------------------------------------------------------------------------
1 | 2f7ff63cc756db36bc3059a016d7f99a
--------------------------------------------------------------------------------
/mvn-repo/com/immomo/momosec/mosec-maven-plugin/maven-metadata.xml.sha1:
--------------------------------------------------------------------------------
1 | a347d34be60bccb963f0a9796f9780fac85a6eba
--------------------------------------------------------------------------------
/mvnw:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # ----------------------------------------------------------------------------
3 | # Licensed to the Apache Software Foundation (ASF) under one
4 | # or more contributor license agreements. See the NOTICE file
5 | # distributed with this work for additional information
6 | # regarding copyright ownership. The ASF licenses this file
7 | # to you under the Apache License, Version 2.0 (the
8 | # "License"); you may not use this file except in compliance
9 | # with the License. You may obtain a copy of the License at
10 | #
11 | # http://www.apache.org/licenses/LICENSE-2.0
12 | #
13 | # Unless required by applicable law or agreed to in writing,
14 | # software distributed under the License is distributed on an
15 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16 | # KIND, either express or implied. See the License for the
17 | # specific language governing permissions and limitations
18 | # under the License.
19 | # ----------------------------------------------------------------------------
20 |
21 | # ----------------------------------------------------------------------------
22 | # Maven2 Start Up Batch script
23 | #
24 | # Required ENV vars:
25 | # ------------------
26 | # JAVA_HOME - location of a JDK home dir
27 | #
28 | # Optional ENV vars
29 | # -----------------
30 | # M2_HOME - location of maven2's installed home dir
31 | # MAVEN_OPTS - parameters passed to the Java VM when running Maven
32 | # e.g. to debug Maven itself, use
33 | # set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
34 | # MAVEN_SKIP_RC - flag to disable loading of mavenrc files
35 | # ----------------------------------------------------------------------------
36 |
37 | if [ -z "$MAVEN_SKIP_RC" ] ; then
38 |
39 | if [ -f /etc/mavenrc ] ; then
40 | . /etc/mavenrc
41 | fi
42 |
43 | if [ -f "$HOME/.mavenrc" ] ; then
44 | . "$HOME/.mavenrc"
45 | fi
46 |
47 | fi
48 |
49 | # OS specific support. $var _must_ be set to either true or false.
50 | cygwin=false;
51 | darwin=false;
52 | mingw=false
53 | case "`uname`" in
54 | CYGWIN*) cygwin=true ;;
55 | MINGW*) mingw=true;;
56 | Darwin*) darwin=true
57 | # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
58 | # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
59 | if [ -z "$JAVA_HOME" ]; then
60 | if [ -x "/usr/libexec/java_home" ]; then
61 | export JAVA_HOME="`/usr/libexec/java_home`"
62 | else
63 | export JAVA_HOME="/Library/Java/Home"
64 | fi
65 | fi
66 | ;;
67 | esac
68 |
69 | if [ -z "$JAVA_HOME" ] ; then
70 | if [ -r /etc/gentoo-release ] ; then
71 | JAVA_HOME=`java-config --jre-home`
72 | fi
73 | fi
74 |
75 | if [ -z "$M2_HOME" ] ; then
76 | ## resolve links - $0 may be a link to maven's home
77 | PRG="$0"
78 |
79 | # need this for relative symlinks
80 | while [ -h "$PRG" ] ; do
81 | ls=`ls -ld "$PRG"`
82 | link=`expr "$ls" : '.*-> \(.*\)$'`
83 | if expr "$link" : '/.*' > /dev/null; then
84 | PRG="$link"
85 | else
86 | PRG="`dirname "$PRG"`/$link"
87 | fi
88 | done
89 |
90 | saveddir=`pwd`
91 |
92 | M2_HOME=`dirname "$PRG"`/..
93 |
94 | # make it fully qualified
95 | M2_HOME=`cd "$M2_HOME" && pwd`
96 |
97 | cd "$saveddir"
98 | # echo Using m2 at $M2_HOME
99 | fi
100 |
101 | # For Cygwin, ensure paths are in UNIX format before anything is touched
102 | if $cygwin ; then
103 | [ -n "$M2_HOME" ] &&
104 | M2_HOME=`cygpath --unix "$M2_HOME"`
105 | [ -n "$JAVA_HOME" ] &&
106 | JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
107 | [ -n "$CLASSPATH" ] &&
108 | CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
109 | fi
110 |
111 | # For Mingw, ensure paths are in UNIX format before anything is touched
112 | if $mingw ; then
113 | [ -n "$M2_HOME" ] &&
114 | M2_HOME="`(cd "$M2_HOME"; pwd)`"
115 | [ -n "$JAVA_HOME" ] &&
116 | JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
117 | # TODO classpath?
118 | fi
119 |
120 | if [ -z "$JAVA_HOME" ]; then
121 | javaExecutable="`which javac`"
122 | if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
123 | # readlink(1) is not available as standard on Solaris 10.
124 | readLink=`which readlink`
125 | if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
126 | if $darwin ; then
127 | javaHome="`dirname \"$javaExecutable\"`"
128 | javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
129 | else
130 | javaExecutable="`readlink -f \"$javaExecutable\"`"
131 | fi
132 | javaHome="`dirname \"$javaExecutable\"`"
133 | javaHome=`expr "$javaHome" : '\(.*\)/bin'`
134 | JAVA_HOME="$javaHome"
135 | export JAVA_HOME
136 | fi
137 | fi
138 | fi
139 |
140 | if [ -z "$JAVACMD" ] ; then
141 | if [ -n "$JAVA_HOME" ] ; then
142 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
143 | # IBM's JDK on AIX uses strange locations for the executables
144 | JAVACMD="$JAVA_HOME/jre/sh/java"
145 | else
146 | JAVACMD="$JAVA_HOME/bin/java"
147 | fi
148 | else
149 | JAVACMD="`which java`"
150 | fi
151 | fi
152 |
153 | if [ ! -x "$JAVACMD" ] ; then
154 | echo "Error: JAVA_HOME is not defined correctly." >&2
155 | echo " We cannot execute $JAVACMD" >&2
156 | exit 1
157 | fi
158 |
159 | if [ -z "$JAVA_HOME" ] ; then
160 | echo "Warning: JAVA_HOME environment variable is not set."
161 | fi
162 |
163 | CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
164 |
165 | # traverses directory structure from process work directory to filesystem root
166 | # first directory with .mvn subdirectory is considered project base directory
167 | find_maven_basedir() {
168 |
169 | if [ -z "$1" ]
170 | then
171 | echo "Path not specified to find_maven_basedir"
172 | return 1
173 | fi
174 |
175 | basedir="$1"
176 | wdir="$1"
177 | while [ "$wdir" != '/' ] ; do
178 | if [ -d "$wdir"/.mvn ] ; then
179 | basedir=$wdir
180 | break
181 | fi
182 | # workaround for JBEAP-8937 (on Solaris 10/Sparc)
183 | if [ -d "${wdir}" ]; then
184 | wdir=`cd "$wdir/.."; pwd`
185 | fi
186 | # end of workaround
187 | done
188 | echo "${basedir}"
189 | }
190 |
191 | # concatenates all lines of a file
192 | concat_lines() {
193 | if [ -f "$1" ]; then
194 | echo "$(tr -s '\n' ' ' < "$1")"
195 | fi
196 | }
197 |
198 | BASE_DIR=`find_maven_basedir "$(pwd)"`
199 | if [ -z "$BASE_DIR" ]; then
200 | exit 1;
201 | fi
202 |
203 | ##########################################################################################
204 | # Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
205 | # This allows using the maven wrapper in projects that prohibit checking in binary data.
206 | ##########################################################################################
207 | if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
208 | if [ "$MVNW_VERBOSE" = true ]; then
209 | echo "Found .mvn/wrapper/maven-wrapper.jar"
210 | fi
211 | else
212 | if [ "$MVNW_VERBOSE" = true ]; then
213 | echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
214 | fi
215 | jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar"
216 | while IFS="=" read key value; do
217 | case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
218 | esac
219 | done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
220 | if [ "$MVNW_VERBOSE" = true ]; then
221 | echo "Downloading from: $jarUrl"
222 | fi
223 | wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
224 |
225 | if command -v wget > /dev/null; then
226 | if [ "$MVNW_VERBOSE" = true ]; then
227 | echo "Found wget ... using wget"
228 | fi
229 | wget "$jarUrl" -O "$wrapperJarPath"
230 | elif command -v curl > /dev/null; then
231 | if [ "$MVNW_VERBOSE" = true ]; then
232 | echo "Found curl ... using curl"
233 | fi
234 | curl -o "$wrapperJarPath" "$jarUrl"
235 | else
236 | if [ "$MVNW_VERBOSE" = true ]; then
237 | echo "Falling back to using Java to download"
238 | fi
239 | javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
240 | if [ -e "$javaClass" ]; then
241 | if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
242 | if [ "$MVNW_VERBOSE" = true ]; then
243 | echo " - Compiling MavenWrapperDownloader.java ..."
244 | fi
245 | # Compiling the Java class
246 | ("$JAVA_HOME/bin/javac" "$javaClass")
247 | fi
248 | if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
249 | # Running the downloader
250 | if [ "$MVNW_VERBOSE" = true ]; then
251 | echo " - Running MavenWrapperDownloader.java ..."
252 | fi
253 | ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
254 | fi
255 | fi
256 | fi
257 | fi
258 | ##########################################################################################
259 | # End of extension
260 | ##########################################################################################
261 |
262 | export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
263 | if [ "$MVNW_VERBOSE" = true ]; then
264 | echo $MAVEN_PROJECTBASEDIR
265 | fi
266 | MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
267 |
268 | # For Cygwin, switch paths to Windows format before running java
269 | if $cygwin; then
270 | [ -n "$M2_HOME" ] &&
271 | M2_HOME=`cygpath --path --windows "$M2_HOME"`
272 | [ -n "$JAVA_HOME" ] &&
273 | JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
274 | [ -n "$CLASSPATH" ] &&
275 | CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
276 | [ -n "$MAVEN_PROJECTBASEDIR" ] &&
277 | MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
278 | fi
279 |
280 | WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
281 |
282 | exec "$JAVACMD" \
283 | $MAVEN_OPTS \
284 | -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
285 | "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
286 | ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"
287 |
--------------------------------------------------------------------------------
/mvnw.cmd:
--------------------------------------------------------------------------------
1 | @REM ----------------------------------------------------------------------------
2 | @REM Licensed to the Apache Software Foundation (ASF) under one
3 | @REM or more contributor license agreements. See the NOTICE file
4 | @REM distributed with this work for additional information
5 | @REM regarding copyright ownership. The ASF licenses this file
6 | @REM to you under the Apache License, Version 2.0 (the
7 | @REM "License"); you may not use this file except in compliance
8 | @REM with the License. You may obtain a copy of the License at
9 | @REM
10 | @REM http://www.apache.org/licenses/LICENSE-2.0
11 | @REM
12 | @REM Unless required by applicable law or agreed to in writing,
13 | @REM software distributed under the License is distributed on an
14 | @REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 | @REM KIND, either express or implied. See the License for the
16 | @REM specific language governing permissions and limitations
17 | @REM under the License.
18 | @REM ----------------------------------------------------------------------------
19 |
20 | @REM ----------------------------------------------------------------------------
21 | @REM Maven2 Start Up Batch script
22 | @REM
23 | @REM Required ENV vars:
24 | @REM JAVA_HOME - location of a JDK home dir
25 | @REM
26 | @REM Optional ENV vars
27 | @REM M2_HOME - location of maven2's installed home dir
28 | @REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
29 | @REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a key stroke before ending
30 | @REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
31 | @REM e.g. to debug Maven itself, use
32 | @REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
33 | @REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
34 | @REM ----------------------------------------------------------------------------
35 |
36 | @REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
37 | @echo off
38 | @REM set title of command window
39 | title %0
40 | @REM enable echoing my setting MAVEN_BATCH_ECHO to 'on'
41 | @if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO%
42 |
43 | @REM set %HOME% to equivalent of $HOME
44 | if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
45 |
46 | @REM Execute a user defined script before this one
47 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
48 | @REM check for pre script, once with legacy .bat ending and once with .cmd ending
49 | if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat"
50 | if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd"
51 | :skipRcPre
52 |
53 | @setlocal
54 |
55 | set ERROR_CODE=0
56 |
57 | @REM To isolate internal variables from possible post scripts, we use another setlocal
58 | @setlocal
59 |
60 | @REM ==== START VALIDATION ====
61 | if not "%JAVA_HOME%" == "" goto OkJHome
62 |
63 | echo.
64 | echo Error: JAVA_HOME not found in your environment. >&2
65 | echo Please set the JAVA_HOME variable in your environment to match the >&2
66 | echo location of your Java installation. >&2
67 | echo.
68 | goto error
69 |
70 | :OkJHome
71 | if exist "%JAVA_HOME%\bin\java.exe" goto init
72 |
73 | echo.
74 | echo Error: JAVA_HOME is set to an invalid directory. >&2
75 | echo JAVA_HOME = "%JAVA_HOME%" >&2
76 | echo Please set the JAVA_HOME variable in your environment to match the >&2
77 | echo location of your Java installation. >&2
78 | echo.
79 | goto error
80 |
81 | @REM ==== END VALIDATION ====
82 |
83 | :init
84 |
85 | @REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
86 | @REM Fallback to current working directory if not found.
87 |
88 | set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
89 | IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
90 |
91 | set EXEC_DIR=%CD%
92 | set WDIR=%EXEC_DIR%
93 | :findBaseDir
94 | IF EXIST "%WDIR%"\.mvn goto baseDirFound
95 | cd ..
96 | IF "%WDIR%"=="%CD%" goto baseDirNotFound
97 | set WDIR=%CD%
98 | goto findBaseDir
99 |
100 | :baseDirFound
101 | set MAVEN_PROJECTBASEDIR=%WDIR%
102 | cd "%EXEC_DIR%"
103 | goto endDetectBaseDir
104 |
105 | :baseDirNotFound
106 | set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
107 | cd "%EXEC_DIR%"
108 |
109 | :endDetectBaseDir
110 |
111 | IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
112 |
113 | @setlocal EnableExtensions EnableDelayedExpansion
114 | for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
115 | @endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
116 |
117 | :endReadAdditionalConfig
118 |
119 | SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
120 | set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
121 | set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
122 |
123 | set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar"
124 | FOR /F "tokens=1,2 delims==" %%A IN (%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties) DO (
125 | IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B
126 | )
127 |
128 | @REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
129 | @REM This allows using the maven wrapper in projects that prohibit checking in binary data.
130 | if exist %WRAPPER_JAR% (
131 | echo Found %WRAPPER_JAR%
132 | ) else (
133 | echo Couldn't find %WRAPPER_JAR%, downloading it ...
134 | echo Downloading from: %DOWNLOAD_URL%
135 | powershell -Command "(New-Object Net.WebClient).DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"
136 | echo Finished downloading %WRAPPER_JAR%
137 | )
138 | @REM End of extension
139 |
140 | %MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
141 | if ERRORLEVEL 1 goto error
142 | goto end
143 |
144 | :error
145 | set ERROR_CODE=1
146 |
147 | :end
148 | @endlocal & set ERROR_CODE=%ERROR_CODE%
149 |
150 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost
151 | @REM check for post script, once with legacy .bat ending and once with .cmd ending
152 | if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat"
153 | if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd"
154 | :skipRcPost
155 |
156 | @REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
157 | if "%MAVEN_BATCH_PAUSE%" == "on" pause
158 |
159 | if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE%
160 |
161 | exit /B %ERROR_CODE%
162 |
--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 |
6 | 3.1.0
7 |
8 |
9 | com.immomo.momosec
10 | mosec-maven-plugin
11 | 1.0.10
12 | maven-plugin
13 |
14 | Mosec Maven Plugin
15 | 用于检测Maven项目的第三方依赖组件是否存在安全漏洞
16 |
17 |
18 |
19 | retanoj
20 | mmsrc@immomo.com
21 |
22 |
23 |
24 |
25 | UTF-8
26 | 3.3.9
27 |
28 |
29 |
30 |
31 | org.apache.maven
32 | maven-core
33 | ${mavenVersion}
34 |
35 |
36 | org.apache.maven.plugin-tools
37 | maven-plugin-annotations
38 | 3.2
39 | provided
40 |
41 |
42 | com.google.code.gson
43 | gson
44 | 2.8.5
45 |
46 |
47 | org.apache.httpcomponents
48 | httpclient
49 | 4.5.13
50 |
51 |
52 |
53 |
54 | org.apache.maven.plugin-testing
55 | maven-plugin-testing-harness
56 | 3.3.0
57 | test
58 |
59 |
60 | junit
61 | junit
62 | 4.13
63 | test
64 |
65 |
66 | org.mockito
67 | mockito-core
68 | 2.28.2
69 | test
70 |
71 |
72 | org.powermock
73 | powermock-api-mockito2
74 | 2.0.9
75 |
76 |
77 | org.powermock
78 | powermock-module-junit4
79 | 2.0.9
80 |
81 |
82 | org.apache.maven
83 | maven-compat
84 | 3.3.9
85 | test
86 |
87 |
88 |
89 |
90 |
91 |
92 | org.apache.maven.plugins
93 | maven-plugin-plugin
94 | 3.5
95 |
96 | mosec
97 | true
98 |
99 |
100 |
101 | mojo-descriptor
102 |
103 | descriptor
104 |
105 |
106 |
107 | help-goal
108 |
109 | helpmojo
110 |
111 |
112 |
113 |
114 |
115 |
116 | org.apache.maven.plugins
117 | maven-compiler-plugin
118 | 3.6.2
119 |
120 | 1.8
121 | 1.8
122 | -Xlint
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 | internal
131 | file://mvn-repo
132 |
133 |
134 |
135 |
--------------------------------------------------------------------------------
/src/main/java/com/immomo/momosec/maven/plugins/Constants.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2017 Snyk Ltd.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins;
17 |
18 | public class Constants {
19 |
20 | public static final String ERROR_GENERAL = "There was a problem with the Mosec plugin.";
21 |
22 | public static final String ERROR_RERUN_WITH_DEBUG = "Re-run Maven using the -X switch to enable full debug logging.";
23 |
24 | public static final String ERROR_ON_VULNERABLE = "Dependency Vulnerable Found!";
25 |
26 | public static final String ERROR_ON_API = "API return data format error.";
27 |
28 | public static final String ERROR_ON_NULL_ENDPOINT = "API endpoint not setting. Setting by or MOSEC_ENDPOINT env.";
29 |
30 | public static final String CONTENT_TYPE_JSON = "application/json";
31 |
32 | public static final String PROJECT_LANGUAGE = "java";
33 |
34 | public static final String BUILD_TOOL_TYPE = "Maven";
35 |
36 | public static final String MOSEC_ENDPOINT_ENV = "MOSEC_ENDPOINT";
37 | }
38 |
--------------------------------------------------------------------------------
/src/main/java/com/immomo/momosec/maven/plugins/HttpClientHelper.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2017 Snyk Ltd.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins;
17 |
18 | import org.apache.http.HttpHost;
19 | import org.apache.http.auth.AuthScope;
20 | import org.apache.http.auth.UsernamePasswordCredentials;
21 | import org.apache.http.client.CredentialsProvider;
22 | import org.apache.http.client.HttpClient;
23 | import org.apache.http.client.config.RequestConfig;
24 | import org.apache.http.conn.ssl.NoopHostnameVerifier;
25 | import org.apache.http.impl.client.BasicCredentialsProvider;
26 | import org.apache.http.impl.client.HttpClientBuilder;
27 | import org.apache.http.impl.client.LaxRedirectStrategy;
28 | import org.apache.maven.plugin.logging.Log;
29 | import org.apache.maven.settings.Proxy;
30 | import org.apache.maven.settings.Settings;
31 |
32 | /**
33 | * Helper that builds a {@link HttpClient}, setting up a proxy server, if one is present in ~/.m2/settings.xml
34 | */
35 | public class HttpClientHelper {
36 |
37 | private final Log log;
38 | private final Settings settings;
39 | private final int timeout = 15 * 1000;
40 |
41 | public HttpClientHelper(Log log, Settings settings) {
42 | this.log = log;
43 | this.settings = settings;
44 | }
45 |
46 | public HttpClient buildHttpClient() {
47 | RequestConfig config = RequestConfig.custom()
48 | .setConnectTimeout(timeout)
49 | .setConnectionRequestTimeout(timeout)
50 | .setSocketTimeout(timeout)
51 | .build();
52 |
53 | HttpClientBuilder httpClientBuilder = HttpClientBuilder.create()
54 | .setDefaultRequestConfig(config)
55 | .setRedirectStrategy(new LaxRedirectStrategy())
56 | .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
57 | return addProxy(httpClientBuilder)
58 | .build();
59 | }
60 |
61 | /**
62 | * Adds first active proxy server from ~/.m2/settings.xml, if present,
63 | * that will be passed to HttpClientBuilder used by HttpClient
64 | *
65 | * @param builder {@link HttpClientBuilder}
66 | */
67 | private HttpClientBuilder addProxy(HttpClientBuilder builder) {
68 | Proxy settingsProxy = settings.getActiveProxy();
69 | if (settingsProxy != null) {
70 | getLog().debug("proxy server present, trying to set the first active one");
71 | final String proxyHost = settingsProxy.getHost();
72 | final int proxyPort = settingsProxy.getPort();
73 | final String proxyUsername = settingsProxy.getUsername();
74 | final String proxyPassword = settingsProxy.getPassword();
75 |
76 | if (proxyHost != null && !proxyHost.isEmpty()) {
77 | getLog().debug("Using proxy=" + proxyHost + " with port=" + proxyPort + ".");
78 |
79 | final HttpHost proxy = new HttpHost(proxyHost, proxyPort);
80 | builder.setProxy(proxy);
81 | prepareCredentials(builder, proxyUsername, proxyPassword);
82 | }
83 | }
84 | return builder;
85 | }
86 |
87 | private void prepareCredentials(HttpClientBuilder builder,
88 | String proxyUsername,
89 | String proxyPassword) {
90 | if (proxyUsername != null && !proxyUsername.isEmpty()) {
91 | getLog().debug("Using proxy user name=" + proxyUsername + ".");
92 | CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
93 | credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(proxyUsername, proxyPassword));
94 | builder.setDefaultCredentialsProvider(credentialsProvider);
95 | }
96 | }
97 |
98 | private Log getLog() {
99 | return log;
100 | }
101 | }
102 |
--------------------------------------------------------------------------------
/src/main/java/com/immomo/momosec/maven/plugins/MosecLogHelper.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2020 momosecurity.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins;
17 |
18 | public class MosecLogHelper {
19 | private static final String YELLOW = "\033[1;33m";
20 | private static final String LIGHT_RED = "\033[1;31m";
21 | private static final String LIGHT_GREEN = "\033[1;32m";
22 |
23 | private static final String CANCEL_COLOR = "\033[0m";
24 |
25 | public String strongWarning(String content) {
26 | return YELLOW + content + CANCEL_COLOR;
27 | }
28 |
29 | public String strongError(String content) {
30 | return LIGHT_RED + content + CANCEL_COLOR;
31 | }
32 |
33 | public String strongInfo(String content) {
34 | return LIGHT_GREEN + content + CANCEL_COLOR;
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/src/main/java/com/immomo/momosec/maven/plugins/MosecTest.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2017 Snyk Ltd.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins;
17 |
18 | import com.google.gson.*;
19 | import com.immomo.momosec.maven.plugins.exceptions.NetworkErrorException;
20 | import org.apache.http.HttpEntity;
21 | import org.apache.http.HttpResponse;
22 | import org.apache.http.client.HttpClient;
23 | import org.apache.http.client.methods.HttpPost;
24 | import org.apache.http.entity.StringEntity;
25 | import org.apache.maven.plugin.AbstractMojo;
26 | import org.apache.maven.plugin.MojoExecutionException;
27 | import org.apache.maven.plugin.MojoFailureException;
28 | import org.apache.maven.plugins.annotations.Component;
29 | import org.apache.maven.plugins.annotations.Mojo;
30 | import org.apache.maven.plugins.annotations.Parameter;
31 | import org.apache.maven.project.MavenProject;
32 | import org.apache.maven.settings.Settings;
33 | import org.eclipse.aether.RepositorySystem;
34 | import org.eclipse.aether.RepositorySystemSession;
35 | import org.eclipse.aether.collection.DependencyCollectionException;
36 | import org.eclipse.aether.repository.RemoteRepository;
37 |
38 | import java.io.BufferedReader;
39 | import java.io.InputStreamReader;
40 | import java.util.ArrayList;
41 | import java.util.HashSet;
42 | import java.util.List;
43 | import java.util.TreeSet;
44 | import java.util.stream.Collectors;
45 |
46 | import static com.immomo.momosec.maven.plugins.Renderer.writeToFile;
47 |
48 | @Mojo(name = "test")
49 | public class MosecTest extends AbstractMojo {
50 |
51 | @Component
52 | private RepositorySystem repositorySystem;
53 |
54 | @Parameter(property = "project", required = true, readonly = true)
55 | private MavenProject project;
56 |
57 | @Parameter(defaultValue = "${repositorySystemSession}", readonly = true)
58 | private RepositorySystemSession repositorySystemSession;
59 |
60 | @Parameter(defaultValue = "${project.remoteProjectRepositories}", readonly = true)
61 | private List remoteProjectRepositories;
62 |
63 | @Parameter(defaultValue = "${project.remotePluginRepositories}", readonly = true)
64 | private List remotePluginRepositories;
65 |
66 | @Parameter(defaultValue = "${settings}", readonly = true, required = true )
67 | private Settings settings;
68 |
69 | /**
70 | * 威胁等级 [High|Medium|Low]
71 | */
72 | @Parameter(property = "severity", defaultValue = "High")
73 | private String severityLevel;
74 |
75 | /**
76 | * 仅检查直接依赖
77 | */
78 | @Parameter(property = "onlyProvenance", defaultValue = "false")
79 | private Boolean onlyProvenance;
80 |
81 | /**
82 | * 发现漏洞即编译失败
83 | */
84 | @Parameter(property = "failOnVuln", defaultValue = "true")
85 | private Boolean failOnVuln;
86 |
87 | /**
88 | * 上报API
89 | */
90 | @Parameter(property = "endpoint")
91 | private String endpoint;
92 |
93 | /**
94 | * 是否包含Provided Scope依赖
95 | */
96 | @Parameter(property = "includeProvidedDependency", defaultValue = "false")
97 | private Boolean includeProvidedDependency;
98 |
99 | /**
100 | * 输出依赖树到文件
101 | */
102 | @Parameter(property = "outputDepToFile", defaultValue = "")
103 | private String outputDepToFile;
104 |
105 | /**
106 | * 仅分析依赖,不进行漏洞检查
107 | */
108 | @Parameter(property = "onlyAnalyze", defaultValue = "false")
109 | private Boolean onlyAnalyze;
110 |
111 | private static List collectTree = new ArrayList<>();
112 | private static List totalProjectsByGAV = null;
113 |
114 | public void execute() throws MojoExecutionException, MojoFailureException {
115 | String env_endpoint = System.getenv(Constants.MOSEC_ENDPOINT_ENV);
116 | if (env_endpoint != null) {
117 | endpoint = env_endpoint;
118 | }
119 |
120 | if (Boolean.FALSE.equals(onlyAnalyze) && endpoint == null) {
121 | throw new MojoFailureException(Constants.ERROR_ON_NULL_ENDPOINT);
122 | }
123 |
124 | if (remoteProjectRepositories == null) {
125 | remoteProjectRepositories = new ArrayList<>();
126 | }
127 |
128 | if (remotePluginRepositories == null) {
129 | remotePluginRepositories = new ArrayList<>();
130 | }
131 |
132 | try {
133 | for (RemoteRepository remoteProjectRepository : remoteProjectRepositories) {
134 | getLog().debug("Remote project repository: " + remoteProjectRepository);
135 | }
136 | for (RemoteRepository remotePluginRepository : remotePluginRepositories) {
137 | getLog().debug("Remote plugin repository: " + remotePluginRepository);
138 | }
139 | List remoteRepositories = new ArrayList<>(remoteProjectRepositories);
140 | remoteRepositories.addAll(remotePluginRepositories);
141 |
142 | ProjectDependencyCollector collector = new ProjectDependencyCollector(
143 | project,
144 | repositorySystem,
145 | repositorySystemSession,
146 | remoteRepositories,
147 | includeProvidedDependency,
148 | onlyProvenance
149 | );
150 | collector.collectDependencies();
151 | JsonObject projectTree = collector.getTree();
152 | String jsonDepTree = new GsonBuilder().setPrettyPrinting().create().toJson(projectTree);
153 | getLog().debug(jsonDepTree);
154 |
155 | collectTree.add(projectTree.deepCopy());
156 | if (Boolean.TRUE.equals(onlyAnalyze)) {
157 | if (this.isAnalyzeTotalFinished()
158 | && outputDepToFile != null
159 | && !"".equals(outputDepToFile)
160 | ) {
161 | writeToFile(outputDepToFile, new GsonBuilder().setPrettyPrinting().create().toJson(collectTree));
162 | }
163 |
164 | getLog().info("onlyAnalyze mode, Done.");
165 | return;
166 | }
167 |
168 | projectTree.addProperty("type", Constants.BUILD_TOOL_TYPE);
169 | projectTree.addProperty("language", Constants.PROJECT_LANGUAGE);
170 | projectTree.addProperty("severityLevel", severityLevel);
171 |
172 | HttpPost request = new HttpPost(endpoint);
173 | request.addHeader("content-type", Constants.CONTENT_TYPE_JSON);
174 | HttpEntity entity = new StringEntity(projectTree.toString());
175 | request.setEntity(entity);
176 |
177 | HttpClientHelper httpClientHelper = new HttpClientHelper(getLog(), settings);
178 | HttpClient client = httpClientHelper.buildHttpClient();
179 | HttpResponse response = client.execute(request);
180 |
181 | if (response.getStatusLine().getStatusCode() >= 400) {
182 | throw new NetworkErrorException(response.getStatusLine().getReasonPhrase());
183 | }
184 |
185 | JsonParser parser = new JsonParser();
186 | JsonObject responseJson;
187 | try {
188 | responseJson = parser.parse(new BufferedReader(new InputStreamReader(response.getEntity().getContent()))).getAsJsonObject();
189 | JsonObject lastTree = collectTree.get(collectTree.size() - 1);
190 | lastTree.add("result", responseJson);
191 | } catch (JsonParseException | IllegalStateException e) {
192 | throw new NetworkErrorException(Constants.ERROR_ON_API);
193 | }
194 |
195 | if (outputDepToFile != null && !"".equals(outputDepToFile)) {
196 | writeToFile(outputDepToFile, new GsonBuilder().setPrettyPrinting().create().toJson(collectTree));
197 | }
198 |
199 | Renderer renderer = new Renderer(getLog(), failOnVuln);
200 | renderer.renderResponse(responseJson);
201 |
202 | } catch (DependencyCollectionException e) {
203 | throw new MojoFailureException(e.getMessage(), e.fillInStackTrace());
204 | } catch(MojoFailureException e) {
205 | throw e;
206 | } catch(Exception e) {
207 | if (getLog().isDebugEnabled()) {
208 | getLog().error(Constants.ERROR_GENERAL, e);
209 | } else {
210 | getLog().error(Constants.ERROR_GENERAL);
211 | getLog().error(Constants.ERROR_RERUN_WITH_DEBUG);
212 | }
213 | throw new MojoFailureException(e.getMessage(), e.fillInStackTrace());
214 | }
215 | }
216 |
217 | @SuppressWarnings("unchecked")
218 | private boolean isAnalyzeTotalFinished() {
219 | if (totalProjectsByGAV == null) {
220 | Object key = repositorySystemSession.getWorkspaceReader().getRepository().getKey();
221 | if (key instanceof HashSet) {
222 | HashSet gavs = (HashSet) key;
223 | totalProjectsByGAV = (List) gavs.stream().collect(Collectors.toList());
224 | } else {
225 | return false;
226 | }
227 | }
228 | List analyzedProjectsByGAV = collectTree.stream()
229 | .map(o -> String.format("%s:%s", o.get("name").getAsString(), o.get("version").getAsString()))
230 | .collect(Collectors.toList());
231 |
232 | if (totalProjectsByGAV == null
233 | || analyzedProjectsByGAV == null
234 | || totalProjectsByGAV.size() != analyzedProjectsByGAV.size()
235 | ) {
236 | return false;
237 | }
238 | return new TreeSet(totalProjectsByGAV).equals(new TreeSet(analyzedProjectsByGAV));
239 | }
240 | }
241 |
--------------------------------------------------------------------------------
/src/main/java/com/immomo/momosec/maven/plugins/ProjectDependencyCollector.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2017 Snyk Ltd.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins;
17 |
18 | import com.google.gson.Gson;
19 | import com.google.gson.JsonArray;
20 | import com.google.gson.JsonObject;
21 | import org.apache.maven.model.Model;
22 | import org.apache.maven.project.MavenProject;
23 | import org.eclipse.aether.DefaultRepositorySystemSession;
24 | import org.eclipse.aether.RepositorySystem;
25 | import org.eclipse.aether.RepositorySystemSession;
26 | import org.eclipse.aether.artifact.Artifact;
27 | import org.eclipse.aether.artifact.DefaultArtifact;
28 | import org.eclipse.aether.collection.CollectRequest;
29 | import org.eclipse.aether.collection.CollectResult;
30 | import org.eclipse.aether.collection.DependencyCollectionException;
31 | import org.eclipse.aether.graph.Dependency;
32 | import org.eclipse.aether.graph.DependencyNode;
33 | import org.eclipse.aether.repository.RemoteRepository;
34 | import org.eclipse.aether.util.artifact.JavaScopes;
35 | import org.eclipse.aether.util.graph.selector.AndDependencySelector;
36 | import org.eclipse.aether.util.graph.selector.OptionalDependencySelector;
37 | import org.eclipse.aether.util.graph.selector.ScopeDependencySelector;
38 |
39 | import java.security.InvalidParameterException;
40 | import java.util.List;
41 |
42 | import static java.util.Arrays.asList;
43 | import static java.util.Collections.singletonList;
44 |
45 | public class ProjectDependencyCollector {
46 |
47 | private final MavenProject project;
48 | private final RepositorySystem repoSystem;
49 | private final DefaultRepositorySystemSession session;
50 | private final List remoteRepositories;
51 | private final boolean includeProvidedDependencies;
52 | private final boolean onlyProvenance;
53 |
54 | private JsonObject tree;
55 |
56 | public ProjectDependencyCollector(MavenProject project,
57 | RepositorySystem repoSystem,
58 | RepositorySystemSession repoSession,
59 | List remoteRepositories,
60 | boolean includeProvidedDependencies,
61 | boolean onlyProvenance) {
62 | if(project == null || repoSystem == null || repoSession == null) {
63 | throw new InvalidParameterException();
64 | }
65 |
66 | this.project = project;
67 | this.repoSystem = repoSystem;
68 | this.session = new DefaultRepositorySystemSession(repoSession);
69 | this.remoteRepositories = remoteRepositories;
70 | this.includeProvidedDependencies = includeProvidedDependencies;
71 | this.onlyProvenance = onlyProvenance;
72 | }
73 |
74 | public void collectDependencies() throws DependencyCollectionException {
75 | Artifact artifact = new DefaultArtifact(
76 | String.format("%s:%s:%s", project.getGroupId(), project.getArtifactId(), project.getVersion()));
77 |
78 | if (includeProvidedDependencies) {
79 | session.setDependencySelector(
80 | new AndDependencySelector(
81 | new ScopeDependencySelector(
82 | asList(JavaScopes.COMPILE, JavaScopes.PROVIDED),
83 | singletonList(JavaScopes.TEST)
84 | ),
85 | new OptionalDependencySelector()
86 | )
87 | );
88 | }
89 |
90 | CollectRequest collectRequest = new CollectRequest();
91 | collectRequest.setRoot(new Dependency(artifact, JavaScopes.COMPILE));
92 | collectRequest.setRepositories(remoteRepositories);
93 |
94 | CollectResult collectResult = repoSystem.collectDependencies(session, collectRequest);
95 | DependencyNode node = collectResult.getRoot();
96 |
97 | this.tree = createJsonTree(node, null);
98 | MavenProject parent = this.project.getParent();
99 | if (parent == null) {
100 | this.tree.add("parent", new JsonObject());
101 | } else {
102 | JsonObject jParent = new JsonObject();
103 | jParent.addProperty("name", String.format("%s:%s", parent.getGroupId(), parent.getArtifactId()));
104 | jParent.addProperty("version", parent.getVersion());
105 | this.tree.add("parent", jParent);
106 | }
107 |
108 | tree.add("modules", (new Gson()).toJsonTree(this.project.getModules()).getAsJsonArray());
109 | }
110 |
111 | private JsonObject createJsonTree(DependencyNode depNode, JsonArray ancestors) {
112 | Artifact artifact = depNode.getArtifact();
113 | JsonObject treeNode = createTreeNode(artifact, ancestors);
114 |
115 | if (this.onlyProvenance && treeNode.get("from").getAsJsonArray().size() > 1) {
116 | if (Boolean.FALSE.equals(treeNode.has("dependencies"))) {
117 | treeNode.add("dependencies", new JsonObject());
118 | }
119 | return treeNode;
120 | }
121 |
122 | List children = depNode.getChildren();
123 | JsonObject dependencies = new JsonObject();
124 | for(DependencyNode childDep : children) {
125 | Artifact childArtifact = childDep.getArtifact();
126 | JsonObject childNode = createJsonTree(childDep, treeNode.get("from").getAsJsonArray());
127 | dependencies.add(String.format("%s:%s", childArtifact.getGroupId(), childArtifact.getArtifactId()), childNode);
128 | }
129 | treeNode.add("dependencies", dependencies);
130 |
131 | return treeNode;
132 | }
133 |
134 | private JsonObject createTreeNode(Artifact artifact, JsonArray ancestors) {
135 | JsonObject treeNode = new JsonObject();
136 |
137 | treeNode.addProperty("version", artifact.getVersion());
138 | treeNode.addProperty("name", String.format("%s:%s", artifact.getGroupId(), artifact.getArtifactId()));
139 |
140 | JsonArray from = new JsonArray();
141 | if(ancestors != null) {
142 | from.addAll(ancestors);
143 | }
144 | from.add(String.format("%s:%s@%s", artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion()));
145 | treeNode.add("from", from);
146 |
147 | return treeNode;
148 | }
149 |
150 | public JsonObject getTree() { return this.tree; }
151 | }
152 |
--------------------------------------------------------------------------------
/src/main/java/com/immomo/momosec/maven/plugins/Renderer.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2020 momosecurity.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins;
17 |
18 | import com.google.gson.*;
19 | import com.immomo.momosec.maven.plugins.exceptions.FoundVulnerableException;
20 | import com.immomo.momosec.maven.plugins.exceptions.NetworkErrorException;
21 | import org.apache.maven.plugin.logging.Log;
22 |
23 | import java.io.*;
24 |
25 | public class Renderer {
26 |
27 | private final MosecLogHelper logHelper = new MosecLogHelper();
28 |
29 | private final Log log;
30 | private final Boolean failOnVuln;
31 |
32 | public Renderer(Log log, Boolean failOnVuln) {
33 | this.log = log;
34 | this.failOnVuln = failOnVuln;
35 | }
36 |
37 | public void renderResponse(JsonObject responseJson) throws NetworkErrorException, FoundVulnerableException {
38 | if(responseJson.get("ok") != null && responseJson.get("ok").getAsBoolean()) {
39 | String ok = "✓ Tested %s dependencies, no vulnerable found.";
40 | getLog().info(logHelper.strongInfo(String.format(ok, responseJson.get("dependencyCount").getAsString())));
41 | } else if (responseJson.get("vulnerabilities") != null) {
42 | JsonArray vulns = responseJson.get("vulnerabilities").getAsJsonArray();
43 |
44 | for (JsonElement vuln : vulns) {
45 | printSingleVuln(vuln.getAsJsonObject());
46 | }
47 |
48 | String fail = "Tested %s dependencies, found %d vulnerable pathes.";
49 | getLog().warn(logHelper.strongWarning(String.format(fail, responseJson.get("dependencyCount").getAsString(), vulns.size())));
50 | if (failOnVuln) {
51 | throw new FoundVulnerableException(Constants.ERROR_ON_VULNERABLE);
52 | }
53 | }
54 | }
55 |
56 | private void printSingleVuln(JsonObject vuln) {
57 | String vuln_warn = "✗ %s severity (%s - %s) found on %s@%s";
58 | getLog().warn(logHelper.strongError(String.format(vuln_warn,
59 | vuln.get("severity").getAsString(),
60 | vuln.get("title").getAsString(),
61 | vuln.get("cve").getAsString(),
62 | vuln.get("packageName").getAsString(),
63 | vuln.get("version").getAsString()
64 | )));
65 | if(vuln.get("from") != null) {
66 | JsonArray fromArr = vuln.get("from").getAsJsonArray();
67 | StringBuilder fromStrb = new StringBuilder();
68 | for(int i = 0; i < fromArr.size(); i++) {
69 | fromStrb.append(fromArr.get(i).getAsString());
70 | fromStrb.append(" > ");
71 | }
72 | getLog().warn(String.format("- Path: %s" ,fromStrb.substring(0, fromStrb.length() - 3)));
73 | }
74 | if (vuln.get("target_version").getAsJsonArray().size() >= 0) {
75 | getLog().warn(logHelper.strongInfo(String.format("! Fix version %s", vuln.get("target_version").getAsJsonArray())));
76 | }
77 | getLog().warn("");
78 | }
79 |
80 | private Log getLog() {
81 | return log;
82 | }
83 |
84 | public static void writeToFile(String filename, String jsonTree) throws IOException {
85 | File file = new File(filename);
86 | if (!file.exists()) {
87 | File dir = new File(file.getAbsoluteFile().getParent());
88 | dir.mkdirs();
89 | file.createNewFile();
90 | }
91 | FileOutputStream outputStream = new FileOutputStream(file);
92 | outputStream.write(jsonTree.getBytes());
93 | outputStream.close();
94 | }
95 |
96 | public static void writeToFile(String filename, String jsonTree, JsonObject responseJson) throws IOException, NetworkErrorException {
97 | File file = new File(filename);
98 | JsonParser parser = new JsonParser();
99 | JsonObject result = parser.parse(jsonTree).getAsJsonObject();
100 | result.add("ok", responseJson.get("ok"));
101 | result.add("dependencyCount", responseJson.get("dependencyCount"));
102 | result.add("vulnerabilities", responseJson.get("vulnerabilities"));
103 | if (!file.exists()) {
104 | File dir = new File(file.getAbsoluteFile().getParent());
105 | dir.mkdirs();
106 | file.createNewFile();
107 | }
108 | String jsonResult = new GsonBuilder().setPrettyPrinting().create().toJson(result);
109 | FileOutputStream outputStream = new FileOutputStream(file);
110 | outputStream.write(jsonResult.getBytes());
111 | outputStream.close();
112 | }
113 | }
114 |
--------------------------------------------------------------------------------
/src/main/java/com/immomo/momosec/maven/plugins/exceptions/FoundVulnerableException.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2020 momosecurity.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins.exceptions;
17 |
18 | import org.apache.maven.plugin.MojoFailureException;
19 |
20 | public class FoundVulnerableException extends MojoFailureException {
21 |
22 | public FoundVulnerableException(String message) {
23 | super(message);
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/src/main/java/com/immomo/momosec/maven/plugins/exceptions/NetworkErrorException.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2020 momosecurity.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins.exceptions;
17 |
18 | import org.apache.maven.plugin.AbstractMojoExecutionException;
19 |
20 | public class NetworkErrorException extends AbstractMojoExecutionException {
21 |
22 | public NetworkErrorException(String message) {
23 | super(message);
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/src/test/java/com/immomo/momosec/maven/plugins/TestMosecTest.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2020 momosecurity.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins;
17 |
18 | import org.apache.http.HttpEntity;
19 | import org.apache.http.HttpResponse;
20 | import org.apache.http.StatusLine;
21 | import org.apache.http.client.HttpClient;
22 | import org.apache.maven.plugin.logging.Log;
23 | import org.apache.maven.plugin.testing.MojoRule;
24 | import org.apache.maven.plugin.testing.resources.TestResources;
25 | import org.eclipse.aether.RepositorySystem;
26 | import org.eclipse.aether.artifact.DefaultArtifact;
27 | import org.eclipse.aether.collection.CollectResult;
28 | import org.eclipse.aether.graph.DefaultDependencyNode;
29 | import org.eclipse.aether.graph.DependencyNode;
30 | import org.junit.Assert;
31 | import org.junit.Rule;
32 | import org.junit.Test;
33 | import org.junit.rules.ExpectedException;
34 | import org.junit.runner.RunWith;
35 | import org.powermock.core.classloader.annotations.PrepareForTest;
36 | import org.powermock.modules.junit4.PowerMockRunner;
37 |
38 | import java.io.ByteArrayInputStream;
39 | import java.io.File;
40 | import java.io.IOException;
41 | import java.io.InputStream;
42 | import java.lang.reflect.Field;
43 |
44 | import static org.mockito.ArgumentMatchers.any;
45 | import static org.powermock.api.mockito.PowerMockito.*;
46 |
47 |
48 | @RunWith(PowerMockRunner.class)
49 | @PrepareForTest({HttpClientHelper.class, MosecTest.class})
50 | public class TestMosecTest {
51 |
52 | @Rule
53 | public MojoRule rule = new MojoRule();
54 |
55 | @Rule
56 | public TestResources resources = new TestResources("src/test/resources/projects", "target/test-projects");
57 |
58 | @Rule
59 | @SuppressWarnings(value = {"deprecation"})
60 | public ExpectedException exceptionRule = ExpectedException.none();
61 |
62 |
63 | @Test
64 | public void invalidProjectTest() throws Exception {
65 | File projectCopy = this.resources.getBasedir("empty-dir");
66 | File pom = new File(projectCopy, "pom.xml");
67 |
68 | exceptionRule.expect(java.io.FileNotFoundException.class);
69 | exceptionRule.expectMessage("(No such file or directory)");
70 |
71 | this.rule.lookupMojo("test", pom.getCanonicalPath());
72 | }
73 |
74 | @Test
75 | public void validProjectTest() throws Exception {
76 | File pom = getPom("valid-project", "pom.xml");
77 |
78 | MosecTest mosecTest = (MosecTest)this.rule.lookupMojo("test", pom);
79 | Assert.assertNotNull(mosecTest);
80 | }
81 |
82 | @Test
83 | public void onlyAnalyzeWithoutEndpointPom() throws Exception {
84 | File pom = getPom("valid-project", "onlyAnalyzeWithoutEndpointPom.xml");
85 |
86 | MosecTest mosecTest = spy((MosecTest) this.rule.lookupMojo("test", pom));
87 |
88 | RepositorySystem mockRepositorySystem = mock(RepositorySystem.class);
89 | CollectResult mockCollectResult = mock(CollectResult.class);
90 | DependencyNode mockRoot = new DefaultDependencyNode(
91 | new DefaultArtifact("com.immomo.momosec", "MyTestProject", "jar", "1.0.0"));
92 |
93 | when(mosecTest.getLog()).thenReturn(mock(Log.class));
94 | when(mockRepositorySystem.collectDependencies(any(), any())).thenReturn(mockCollectResult);
95 | when(mockCollectResult.getRoot()).thenReturn(mockRoot);
96 |
97 | Field repoSystemField = mosecTest.getClass().getDeclaredField("repositorySystem");
98 | repoSystemField.setAccessible(true);
99 | repoSystemField.set(mosecTest, mockRepositorySystem);
100 |
101 | mosecTest.execute();
102 | }
103 |
104 | @Test
105 | public void onlyAnalyzeWithEndpointPom() throws Exception {
106 | File pom = getPom("valid-project", "onlyAnalyzeWithEndpointPom.xml");
107 |
108 | MosecTest mosecTest = spy((MosecTest) this.rule.lookupMojo("test", pom));
109 |
110 | RepositorySystem mockRepositorySystem = mock(RepositorySystem.class);
111 | CollectResult mockCollectResult = mock(CollectResult.class);
112 | DependencyNode mockRoot = new DefaultDependencyNode(
113 | new DefaultArtifact("com.immomo.momosec", "MyTestProject", "jar", "1.0.0"));
114 |
115 | when(mosecTest.getLog()).thenReturn(mock(Log.class));
116 | when(mockRepositorySystem.collectDependencies(any(), any())).thenReturn(mockCollectResult);
117 | when(mockCollectResult.getRoot()).thenReturn(mockRoot);
118 |
119 | Field repoSystemField = mosecTest.getClass().getDeclaredField("repositorySystem");
120 | repoSystemField.setAccessible(true);
121 | repoSystemField.set(mosecTest, mockRepositorySystem);
122 |
123 | mosecTest.execute();
124 | }
125 |
126 | @Test
127 | public void testFailOnVulnWithTruePom() throws Exception {
128 | File pom = getPom("valid-project", "failOnVulnWithTruePom.xml");
129 | exceptionRule.expectMessage("Dependency Vulnerable Found!");
130 | failOnVulnPomRunner(pom);
131 | }
132 |
133 | @Test
134 | public void testFailOnVulnWithFalsePom() throws Exception {
135 | File pom = getPom("valid-project", "failOnVulnWithFalsePom.xml");
136 | failOnVulnPomRunner(pom);
137 | }
138 |
139 | private void failOnVulnPomRunner(File pom) throws Exception {
140 | MosecTest mosecTest = spy((MosecTest) this.rule.lookupMojo("test", pom));
141 |
142 | RepositorySystem mockRepositorySystem = mock(RepositorySystem.class);
143 | CollectResult mockCollectResult = mock(CollectResult.class);
144 | DependencyNode mockRoot = new DefaultDependencyNode(
145 | new DefaultArtifact("com.immomo.momosec", "MyTestProject", "jar", "1.0.0"));
146 | HttpClientHelper mockHttpClientHelper = mock(HttpClientHelper.class);
147 | HttpClient mockHttpClient = mock(HttpClient.class);
148 | HttpResponse mockHttpResponse = mock(HttpResponse.class);
149 | StatusLine mockStatusLine = mock(StatusLine.class);
150 | HttpEntity mockHttpEntity = mock(HttpEntity.class);
151 |
152 | when(mosecTest.getLog()).thenReturn(mock(Log.class));
153 | when(mockRepositorySystem.collectDependencies(any(), any())).thenReturn(mockCollectResult);
154 | when(mockCollectResult.getRoot()).thenReturn(mockRoot);
155 | whenNew(HttpClientHelper.class).withAnyArguments().thenReturn(mockHttpClientHelper);
156 | when(mockHttpClientHelper.buildHttpClient()).thenReturn(mockHttpClient);
157 | when(mockHttpClient.execute(any())).thenReturn(mockHttpResponse);
158 | when(mockHttpResponse.getStatusLine()).thenReturn(mockStatusLine);
159 | when(mockStatusLine.getStatusCode()).thenReturn(200);
160 | String vuln = "{\"ok\":false, \"dependencyCount\": 2, \"vulnerabilities\":[{" +
161 | "\"severity\": \"High\"," +
162 | "\"title\": \"Fastjson RCE\"," +
163 | "\"cve\": \"CVE-0000-0001\"," +
164 | "\"packageName\": \"com.alibaba:fastjson\"," +
165 | "\"version\": \"1.2.33\"," +
166 | "\"target_version\": [\"1.2.80\"]" +
167 | "}]}";
168 | InputStream httpResponseContent = new ByteArrayInputStream(vuln.getBytes());
169 | when(mockHttpResponse.getEntity()).thenReturn(mockHttpEntity);
170 | when(mockHttpEntity.getContent()).thenReturn(httpResponseContent);
171 |
172 | Field repoSystemField = mosecTest.getClass().getDeclaredField("repositorySystem");
173 | repoSystemField.setAccessible(true);
174 | repoSystemField.set(mosecTest, mockRepositorySystem);
175 |
176 | mosecTest.execute();
177 | }
178 |
179 | public File getPom(String baseDir, String fn) throws IOException {
180 | File projectCopy = this.resources.getBasedir(baseDir);
181 | File pom = new File(projectCopy, fn);
182 |
183 | Assert.assertNotNull(pom);
184 | Assert.assertTrue(pom.exists());
185 |
186 | return pom;
187 | }
188 |
189 | }
190 |
--------------------------------------------------------------------------------
/src/test/java/com/immomo/momosec/maven/plugins/TestProjectDependencyCollector.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2020 momosecurity.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins;
17 |
18 | import com.google.gson.JsonArray;
19 | import com.google.gson.JsonObject;
20 | import org.apache.maven.project.MavenProject;
21 | import org.eclipse.aether.DefaultRepositorySystemSession;
22 | import org.eclipse.aether.RepositorySystem;
23 | import org.eclipse.aether.artifact.Artifact;
24 | import org.eclipse.aether.artifact.DefaultArtifact;
25 | import org.eclipse.aether.graph.DefaultDependencyNode;
26 | import org.eclipse.aether.graph.DependencyNode;
27 | import org.eclipse.aether.repository.RemoteRepository;
28 | import org.junit.Assert;
29 | import org.junit.Test;
30 |
31 | import java.lang.reflect.Method;
32 | import java.util.List;
33 |
34 | import static java.util.Collections.singletonList;
35 | import static org.mockito.Mockito.mock;
36 |
37 | public class TestProjectDependencyCollector {
38 |
39 | private final MavenProject project = mock(MavenProject.class);
40 | private final RepositorySystem repoSystem = mock(RepositorySystem.class);
41 | private final DefaultRepositorySystemSession session = new DefaultRepositorySystemSession();
42 | private final List remoteRepositories = singletonList(
43 | (new RemoteRepository.Builder("central", "default", "https://repo1.maven.org/maven2/")).build());
44 |
45 | private final Artifact parent = new DefaultArtifact("com.study.parent:parent:1.0.0");
46 | private final Artifact child = new DefaultArtifact("com.study.child:child:1.0.0");
47 | private final Artifact child_child = new DefaultArtifact("com.study.child_child:child_child:1.0.0");
48 |
49 | @Test
50 | @SuppressWarnings(value = {"unchecked", "rawtypes"})
51 | public void createJsonTreeTest() throws Exception {
52 | Class collectorClass = ProjectDependencyCollector.class;
53 | Method method = collectorClass.getDeclaredMethod("createJsonTree", DependencyNode.class, JsonArray.class);
54 | method.setAccessible(true);
55 |
56 | DependencyNode parent_node = new DefaultDependencyNode(parent);
57 | DependencyNode child_node = new DefaultDependencyNode(child);
58 | DependencyNode child_child_node = new DefaultDependencyNode(child_child);
59 | child_node.setChildren(singletonList(child_child_node));
60 | parent_node.setChildren(singletonList(child_node));
61 |
62 | JsonObject parentJson = getJsonObject(parent);
63 | JsonObject childJson = getJsonObject(child);
64 | JsonObject child_childJson = getJsonObject(child_child);
65 |
66 | JsonArray parentFrom = new JsonArray();
67 | parentFrom.add(String.format("%s:%s@%s", parent.getGroupId(), parent.getArtifactId(), parent.getVersion()));
68 | parentJson.add("from", parentFrom);
69 |
70 | JsonArray childFrom = new JsonArray();
71 | childFrom.addAll(parentFrom);
72 | childFrom.add(String.format("%s:%s@%s", child.getGroupId(), child.getArtifactId(), child.getVersion()));
73 | childJson.add("from", childFrom);
74 |
75 | JsonArray child_childFrom = new JsonArray();
76 | child_childFrom.addAll(childFrom);
77 | child_childFrom.add(String.format("%s:%s@%s", child_child.getGroupId(), child_child.getArtifactId(), child_child.getVersion()));
78 | child_childJson.add("from", child_childFrom);
79 |
80 | JsonObject parentDependencies = new JsonObject();
81 | parentDependencies.add(String.format("%s:%s", child.getGroupId(), child.getArtifactId()), childJson);
82 | parentJson.add("dependencies", parentDependencies);
83 |
84 | JsonObject childDependencies = new JsonObject();
85 | childDependencies.add(String.format("%s:%s", child_child.getGroupId(), child_child.getArtifactId()), child_childJson);
86 | childJson.add("dependencies", childDependencies);
87 |
88 | child_childJson.add("dependencies", new JsonObject());
89 |
90 | JsonObject actualJson;
91 |
92 | ProjectDependencyCollector collector_WithOnlyProvenance = new ProjectDependencyCollector(
93 | project, repoSystem, session, remoteRepositories, false, true
94 | );
95 | actualJson = (JsonObject)method.invoke(collector_WithOnlyProvenance, parent_node, null);
96 | Assert.assertNull(actualJson.getAsJsonObject("dependencies").getAsJsonObject("dependencies"));
97 |
98 | ProjectDependencyCollector collector_WithoutOnlyProvenance = new ProjectDependencyCollector(
99 | project, repoSystem, session, remoteRepositories, false, false
100 | );
101 | actualJson = (JsonObject)method.invoke(collector_WithoutOnlyProvenance, parent_node, null);
102 | Assert.assertEquals(parentJson, actualJson);
103 | }
104 |
105 | @Test
106 | @SuppressWarnings(value = {"unchecked", "rawtypes"})
107 | public void createTreeNodeTest() throws Exception {
108 | ProjectDependencyCollector collector = new ProjectDependencyCollector(
109 | project, repoSystem, session, remoteRepositories, false, true
110 | );
111 | Class collectorClass = ProjectDependencyCollector.class;
112 | Method method = collectorClass.getDeclaredMethod("createTreeNode", Artifact.class, JsonArray.class);
113 | method.setAccessible(true);
114 |
115 |
116 | JsonArray from = new JsonArray();
117 | from.add(String.format("%s:%s@%s", parent.getGroupId(), parent.getArtifactId(), parent.getVersion()));
118 |
119 | JsonObject expectJson = getJsonObject(child);
120 |
121 | JsonArray expectFrom = new JsonArray();
122 | expectFrom.addAll(from);
123 | expectFrom.add(String.format("%s:%s@%s", child.getGroupId(), child.getArtifactId(), child.getVersion()));
124 | expectJson.add("from", expectFrom);
125 |
126 | JsonObject json = (JsonObject)method.invoke(collector, child, from);
127 | Assert.assertEquals(expectJson, json);
128 | }
129 |
130 | private JsonObject getJsonObject(Artifact artifact) {
131 | JsonObject obj = new JsonObject();
132 | obj.addProperty("version", artifact.getVersion());
133 | obj.addProperty("name", String.format("%s:%s", artifact.getGroupId(), artifact.getArtifactId()));
134 |
135 | return obj;
136 | }
137 | }
138 |
--------------------------------------------------------------------------------
/src/test/java/com/immomo/momosec/maven/plugins/TestRenderer.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2020 momosecurity.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins;
17 |
18 | import com.google.gson.JsonParser;
19 | import com.immomo.momosec.maven.plugins.exceptions.FoundVulnerableException;
20 | import com.immomo.momosec.maven.plugins.exceptions.NetworkErrorException;
21 | import org.apache.maven.monitor.logging.DefaultLog;
22 | import org.apache.maven.plugin.logging.Log;
23 | import org.codehaus.plexus.logging.console.ConsoleLogger;
24 | import org.junit.*;
25 | import org.junit.rules.ExpectedException;
26 |
27 | import java.io.ByteArrayInputStream;
28 | import java.io.ByteArrayOutputStream;
29 | import java.io.PrintStream;
30 |
31 |
32 | public class TestRenderer {
33 |
34 | @Rule
35 | @SuppressWarnings(value = {"deprecation"})
36 | public ExpectedException exceptionRule = ExpectedException.none();
37 |
38 | private final Log log = new DefaultLog(new ConsoleLogger());
39 | private final MosecLogHelper logHelper = new MosecLogHelper();
40 |
41 | private final ByteArrayOutputStream outContent = new ByteArrayOutputStream();
42 | private final ByteArrayOutputStream errContent = new ByteArrayOutputStream();
43 | private final PrintStream originalOut = System.out;
44 | private final PrintStream originalErr = System.err;
45 |
46 | private final String no_vulnerable_response =
47 | "{" +
48 | " \"ok\": true," +
49 | " \"dependencyCount\": 3," +
50 | " \"vulnerabilities\": []" +
51 | "}";
52 |
53 | private final String vulnerable_response =
54 | "{" +
55 | " \"ok\": false," +
56 | " \"dependencyCount\": 3," +
57 | " \"vulnerabilities\": [{" +
58 | " \"severity\": \"High\"," +
59 | " \"title\": \"Fake Vulnerable\"," +
60 | " \"cve\": \"CVE-0001-0001\"," +
61 | " \"packageName\": \"com.study.foo:bar\"," +
62 | " \"version\": \"1.0.0\"," +
63 | " \"target_version\": [\"1.1\"]" +
64 | " }]" +
65 | "}";
66 |
67 | @Before
68 | public void setUpStreams() {
69 | System.setOut(new PrintStream(outContent));
70 | System.setErr(new PrintStream(errContent));
71 | }
72 |
73 | @After
74 | public void restoreStreams() {
75 | System.setOut(originalOut);
76 | System.setErr(originalErr);
77 | }
78 |
79 | @Test
80 | public void renderResponseTest_NotFoundVuln() throws Exception {
81 | Renderer renderer = new Renderer(log, true);
82 | JsonParser parser = new JsonParser();
83 | renderer.renderResponse(parser.parse(no_vulnerable_response).getAsJsonObject());
84 |
85 | String expect = "[INFO] " + logHelper.strongInfo("✓ Tested 3 dependencies, no vulnerable found.") + "\n";
86 | Assert.assertEquals(expect, outContent.toString());
87 | }
88 |
89 | @Test
90 | public void renderResponseTest_FoundVulnWithFailOnVuln() throws Exception {
91 | exceptionRule.expect(FoundVulnerableException.class);
92 | exceptionRule.expectMessage(Constants.ERROR_ON_VULNERABLE);
93 |
94 | Renderer renderer = new Renderer(log, true);
95 | JsonParser parser = new JsonParser();
96 | renderer.renderResponse(parser.parse(vulnerable_response).getAsJsonObject());
97 | }
98 |
99 | @Test
100 | public void renderResponseTest_FoundVulnWithoutFailOnVuln() throws Exception {
101 | Renderer renderer = new Renderer(log, false);
102 | JsonParser parser = new JsonParser();
103 | renderer.renderResponse(parser.parse(vulnerable_response).getAsJsonObject());
104 |
105 | String expect =
106 | "[WARNING] " + logHelper.strongError("✗ High severity (Fake Vulnerable - CVE-0001-0001) found on com.study.foo:bar@1.0.0") + "\n" +
107 | "[WARNING] " + logHelper.strongInfo("! Fix version [\"1.1\"]") + "\n" +
108 | "[WARNING] \n" +
109 | "[WARNING] " + logHelper.strongWarning("Tested 3 dependencies, found 1 vulnerable pathes.") + "\n";
110 | Assert.assertEquals(expect, outContent.toString());
111 | }
112 |
113 | }
114 |
--------------------------------------------------------------------------------
/src/test/java/com/immomo/momosec/maven/plugins/stubs/MyTestProjectSettingsStub.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2020 momosecurity.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins.stubs;
17 |
18 | import org.apache.maven.settings.Proxy;
19 | import org.apache.maven.settings.Settings;
20 |
21 | import java.util.ArrayList;
22 | import java.util.Collections;
23 | import java.util.List;
24 |
25 | public class MyTestProjectSettingsStub extends Settings {
26 | public List getProxies()
27 | {
28 | return new ArrayList<>();
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/src/test/java/com/immomo/momosec/maven/plugins/stubs/MyTestProjectStub.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2020 momosecurity.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins.stubs;
17 |
18 | import org.apache.maven.model.Build;
19 | import org.apache.maven.model.Model;
20 | import org.apache.maven.model.io.xpp3.MavenXpp3Reader;
21 | import org.apache.maven.plugin.testing.stubs.MavenProjectStub;
22 | import org.apache.maven.project.MavenProject;
23 | import org.codehaus.plexus.util.ReaderFactory;
24 |
25 | import java.io.File;
26 | import java.util.ArrayList;
27 | import java.util.List;
28 |
29 | public class MyTestProjectStub extends MavenProjectStub {
30 |
31 | @SuppressWarnings(value = {"unchecked", "rawtypes"})
32 | public MyTestProjectStub() {
33 | MavenXpp3Reader pomReader = new MavenXpp3Reader();
34 | Model model;
35 |
36 | try {
37 | model = pomReader.read(ReaderFactory.newXmlReader(new File( getBasedir() + "/pom.xml")));
38 | setModel(model);
39 | MavenProject mavenProject = new MavenProject(model);
40 | this.setParent(mavenProject);
41 | } catch (Exception e) {
42 | throw new RuntimeException(e);
43 | }
44 |
45 |
46 | setGroupId(model.getGroupId());
47 | setArtifactId(model.getArtifactId());
48 | setVersion(model.getVersion());
49 | setName(model.getName());
50 | setUrl(model.getUrl());
51 | setPackaging(model.getPackaging());
52 |
53 |
54 | Build build = new Build();
55 | build.setFinalName(model.getArtifactId());
56 | build.setDirectory(getBasedir() + "/target");
57 | build.setSourceDirectory(getBasedir() + "/src/main/java");
58 | build.setOutputDirectory(getBasedir() + "/target/classes");
59 | build.setTestSourceDirectory(getBasedir() + "/src/test/java");
60 | build.setTestOutputDirectory(getBasedir() + "/target/test-classes");
61 | setBuild(build);
62 |
63 | List compileSourceRoots = new ArrayList();
64 | compileSourceRoots.add(getBasedir() + "/src/main/java");
65 | setCompileSourceRoots(compileSourceRoots);
66 |
67 | List testCompileSourceRoots = new ArrayList();
68 | testCompileSourceRoots.add(getBasedir() + "/src/test/java");
69 | setTestCompileSourceRoots(testCompileSourceRoots);
70 | }
71 |
72 | public File getBasedir() {
73 | return new File(super.getBasedir() + "/src/test/resources/projects/valid-project");
74 | }
75 |
76 | }
77 |
--------------------------------------------------------------------------------
/src/test/java/com/immomo/momosec/maven/plugins/stubs/MyTestProjectSystemSessionStub.java:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2020 momosecurity.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 | package com.immomo.momosec.maven.plugins.stubs;
17 |
18 | import org.apache.maven.model.Model;
19 | import org.apache.maven.repository.internal.MavenWorkspaceReader;
20 | import org.codehaus.plexus.PlexusTestCase;
21 | import org.eclipse.aether.*;
22 | import org.eclipse.aether.artifact.Artifact;
23 | import org.eclipse.aether.artifact.ArtifactType;
24 | import org.eclipse.aether.artifact.ArtifactTypeRegistry;
25 | import org.eclipse.aether.collection.*;
26 | import org.eclipse.aether.internal.impl.SimpleLocalRepositoryManagerFactory;
27 | import org.eclipse.aether.repository.*;
28 | import org.eclipse.aether.resolution.ArtifactDescriptorPolicy;
29 | import org.eclipse.aether.resolution.ResolutionErrorPolicy;
30 | import org.eclipse.aether.transfer.TransferListener;
31 | import org.eclipse.aether.util.repository.ChainedWorkspaceReader;
32 |
33 | import java.io.File;
34 | import java.util.HashMap;
35 | import java.util.HashSet;
36 | import java.util.List;
37 | import java.util.Map;
38 |
39 | public class MyTestProjectSystemSessionStub implements RepositorySystemSession {
40 | private final Map systemProperties;
41 | private final Map userProperties;
42 | private final Map configProperties;
43 | private final MirrorSelector mirrorSelector;
44 | private final ProxySelector proxySelector;
45 | private final AuthenticationSelector authenticationSelector;
46 | private LocalRepositoryManager localRepositoryManager;
47 |
48 | @SuppressWarnings(value = {"unchecked", "rawtypes"})
49 | public MyTestProjectSystemSessionStub() {
50 | LocalRepository repository = new LocalRepository(PlexusTestCase.getBasedir());
51 | try {
52 | LocalRepositoryManager localRepositoryManager = new SimpleLocalRepositoryManagerFactory().newInstance(this, repository);
53 | this.setLocalRepositoryManager(localRepositoryManager);
54 | } catch (NoLocalRepositoryManagerException e) {
55 | e.printStackTrace();
56 | }
57 |
58 | this.systemProperties = new HashMap();
59 | this.userProperties = new HashMap();
60 | this.configProperties = new HashMap();
61 | this.mirrorSelector = MyTestProjectSystemSessionStub.NullMirrorSelector.INSTANCE;
62 | this.proxySelector = MyTestProjectSystemSessionStub.NullProxySelector.INSTANCE;
63 | this.authenticationSelector = MyTestProjectSystemSessionStub.NullAuthenticationSelector.INSTANCE;
64 | }
65 |
66 | @Override
67 | public boolean isOffline() {
68 | return false;
69 | }
70 |
71 | @Override
72 | public boolean isIgnoreArtifactDescriptorRepositories() {
73 | return false;
74 | }
75 |
76 | @Override
77 | public ResolutionErrorPolicy getResolutionErrorPolicy() {
78 | return null;
79 | }
80 |
81 | @Override
82 | public ArtifactDescriptorPolicy getArtifactDescriptorPolicy() {
83 | return null;
84 | }
85 |
86 | @Override
87 | public String getChecksumPolicy() {
88 | return null;
89 | }
90 |
91 | @Override
92 | public String getUpdatePolicy() {
93 | return null;
94 | }
95 |
96 | @Override
97 | public LocalRepository getLocalRepository() {
98 | return null;
99 | }
100 |
101 | @Override
102 | public LocalRepositoryManager getLocalRepositoryManager() {
103 | return this.localRepositoryManager;
104 | }
105 |
106 | public MyTestProjectSystemSessionStub setLocalRepositoryManager(LocalRepositoryManager localRepositoryManager) {
107 | this.localRepositoryManager = localRepositoryManager;
108 | return this;
109 | }
110 |
111 | @Override
112 | public WorkspaceReader getWorkspaceReader() {
113 | return new MavenWorkspaceReader() {
114 | @Override
115 | public Model findModel(Artifact artifact) {
116 | return null;
117 | }
118 |
119 | @Override
120 | public WorkspaceRepository getRepository() {
121 | return new WorkspaceRepository("mock", new HashSet(){{
122 | add("com.immomo.momosec:MyTestProject:1.0.0");
123 | }});
124 | }
125 |
126 | @Override
127 | public File findArtifact(Artifact artifact) {
128 | return null;
129 | }
130 |
131 | @Override
132 | public List findVersions(Artifact artifact) {
133 | return null;
134 | }
135 | };
136 | }
137 |
138 | @Override
139 | public RepositoryListener getRepositoryListener() {
140 | return null;
141 | }
142 |
143 | @Override
144 | public TransferListener getTransferListener() {
145 | return null;
146 | }
147 |
148 | @Override
149 | public Map getSystemProperties() {
150 | return this.systemProperties;
151 | }
152 |
153 | @Override
154 | public Map getUserProperties() {
155 | return this.userProperties;
156 | }
157 |
158 | @Override
159 | public Map getConfigProperties() {
160 | return this.configProperties;
161 | }
162 |
163 | @Override
164 | public MirrorSelector getMirrorSelector() {
165 | return this.mirrorSelector;
166 | }
167 |
168 | @Override
169 | public ProxySelector getProxySelector() {
170 | return this.proxySelector;
171 | }
172 |
173 | @Override
174 | public AuthenticationSelector getAuthenticationSelector() {
175 | return this.authenticationSelector;
176 | }
177 |
178 | @Override
179 | public ArtifactTypeRegistry getArtifactTypeRegistry() {
180 | return null;
181 | }
182 |
183 | @Override
184 | public DependencyTraverser getDependencyTraverser() {
185 | return null;
186 | }
187 |
188 | @Override
189 | public DependencyManager getDependencyManager() {
190 | return null;
191 | }
192 |
193 | @Override
194 | public DependencySelector getDependencySelector() {
195 | return null;
196 | }
197 |
198 | @Override
199 | public VersionFilter getVersionFilter() {
200 | return null;
201 | }
202 |
203 | @Override
204 | public DependencyGraphTransformer getDependencyGraphTransformer() {
205 | return null;
206 | }
207 |
208 | @Override
209 | public SessionData getData() {
210 | return null;
211 | }
212 |
213 | @Override
214 | public RepositoryCache getCache() {
215 | return null;
216 | }
217 |
218 | static final class NullArtifactTypeRegistry implements ArtifactTypeRegistry {
219 | public static final ArtifactTypeRegistry INSTANCE = new MyTestProjectSystemSessionStub.NullArtifactTypeRegistry();
220 |
221 | NullArtifactTypeRegistry() {
222 | }
223 |
224 | public ArtifactType get(String typeId) {
225 | return null;
226 | }
227 | }
228 |
229 | static class NullAuthenticationSelector implements AuthenticationSelector {
230 | public static final AuthenticationSelector INSTANCE = new MyTestProjectSystemSessionStub.NullAuthenticationSelector();
231 |
232 | NullAuthenticationSelector() {
233 | }
234 |
235 | public Authentication getAuthentication(RemoteRepository repository) {
236 | return repository.getAuthentication();
237 | }
238 | }
239 |
240 | static class NullMirrorSelector implements MirrorSelector {
241 | public static final MirrorSelector INSTANCE = new MyTestProjectSystemSessionStub.NullMirrorSelector();
242 |
243 | NullMirrorSelector() {
244 | }
245 |
246 | public RemoteRepository getMirror(RemoteRepository repository) {
247 | return null;
248 | }
249 | }
250 |
251 | static class NullProxySelector implements ProxySelector {
252 | public static final ProxySelector INSTANCE = new MyTestProjectSystemSessionStub.NullProxySelector();
253 |
254 | NullProxySelector() {
255 | }
256 |
257 | public Proxy getProxy(RemoteRepository repository) {
258 | return repository.getProxy();
259 | }
260 | }
261 | }
262 |
--------------------------------------------------------------------------------
/src/test/resources/mockito-extensions/org.mockito.plugins.MockMaker:
--------------------------------------------------------------------------------
1 | mock-maker-inline
--------------------------------------------------------------------------------
/src/test/resources/projects/empty-dir/foo:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/src/test/resources/projects/module-project/dumpDepFile.txt:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "version": "1.0.0",
4 | "name": "com.immomo.momosec:ModuleProject",
5 | "from": [
6 | "com.immomo.momosec:ModuleProject@1.0.0"
7 | ],
8 | "dependencies": {},
9 | "parent": {},
10 | "modules": [
11 | "moduleA",
12 | "moduleB"
13 | ]
14 | },
15 | {
16 | "version": "1.0.0",
17 | "name": "com.immomo.momosec:ModuleA",
18 | "from": [
19 | "com.immomo.momosec:ModuleA@1.0.0"
20 | ],
21 | "dependencies": {},
22 | "parent": {
23 | "name": "com.immomo.momosec:ModuleProject",
24 | "version": "1.0.0"
25 | },
26 | "modules": [
27 | "moduleSubA"
28 | ]
29 | },
30 | {
31 | "version": "1.0.0",
32 | "name": "com.immomo.momosec:ModuleSubA",
33 | "from": [
34 | "com.immomo.momosec:ModuleSubA@1.0.0"
35 | ],
36 | "dependencies": {
37 | "com.alibaba:fastjson": {
38 | "version": "1.2.33",
39 | "name": "com.alibaba:fastjson",
40 | "from": [
41 | "com.immomo.momosec:ModuleSubA@1.0.0",
42 | "com.alibaba:fastjson@1.2.33"
43 | ],
44 | "dependencies": {}
45 | }
46 | },
47 | "parent": {
48 | "name": "com.immomo.momosec:ModuleA",
49 | "version": "1.0.0"
50 | },
51 | "modules": []
52 | },
53 | {
54 | "version": "1.0.0",
55 | "name": "com.immomo.momosec:ModuleB",
56 | "from": [
57 | "com.immomo.momosec:ModuleB@1.0.0"
58 | ],
59 | "dependencies": {},
60 | "parent": {
61 | "name": "com.immomo.momosec:ModuleProject",
62 | "version": "1.0.0"
63 | },
64 | "modules": []
65 | }
66 | ]
--------------------------------------------------------------------------------
/src/test/resources/projects/module-project/moduleA/moduleSubA/pom.xml:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 |
6 | com.immomo.momosec
7 | ModuleA
8 | 1.0.0
9 |
10 | ModuleSubA
11 | pom
12 |
13 |
14 |
15 | com.alibaba
16 | fastjson
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/src/test/resources/projects/module-project/moduleA/pom.xml:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 |
6 | com.immomo.momosec
7 | ModuleProject
8 | 1.0.0
9 |
10 | ModuleA
11 | pom
12 |
13 |
14 | moduleSubA
15 |
16 |
17 |
--------------------------------------------------------------------------------
/src/test/resources/projects/module-project/moduleB/pom.xml:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 |
6 | com.immomo.momosec
7 | ModuleProject
8 | 1.0.0
9 |
10 | ModuleB
11 | pom
12 |
13 |
14 |
--------------------------------------------------------------------------------
/src/test/resources/projects/module-project/pom.xml:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 | com.immomo.momosec
6 | ModuleProject
7 | pom
8 | 1.0.0
9 |
10 |
11 | moduleA
12 | moduleB
13 |
14 |
15 | Mosec Maven Plugin Test Project
16 |
17 |
18 |
19 |
20 | com.alibaba
21 | fastjson
22 | 1.2.33
23 |
24 |
25 |
26 |
27 |
--------------------------------------------------------------------------------
/src/test/resources/projects/valid-project/failOnVulnWithFalsePom.xml:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 | com.immomo.momosec
6 | MyTestProject
7 | 1.0.0
8 |
9 | Mosec Maven Plugin Test Project
10 |
11 |
12 |
13 |
14 | com.alibaba
15 | fastjson
16 | 1.2.33
17 |
18 |
19 | junit
20 | junit
21 | 4.13
22 | test
23 |
24 |
25 |
26 |
27 |
28 |
29 | com.immomo.momosec
30 | mosec-maven-plugin
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 | High
41 | False
42 | true
43 | https://fake.endpoint.com/
44 | false
45 |
46 |
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/src/test/resources/projects/valid-project/failOnVulnWithTruePom.xml:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 | com.immomo.momosec
6 | MyTestProject
7 | 1.0.0
8 |
9 | Mosec Maven Plugin Test Project
10 |
11 |
12 |
13 |
14 | com.alibaba
15 | fastjson
16 | 1.2.33
17 |
18 |
19 | junit
20 | junit
21 | 4.13
22 | test
23 |
24 |
25 |
26 |
27 |
28 |
29 | com.immomo.momosec
30 | mosec-maven-plugin
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 | High
41 | True
42 | true
43 | https://fake.endpoint.com/
44 | false
45 |
46 |
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/src/test/resources/projects/valid-project/onlyAnalyzeWithEndpointPom.xml:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 | com.immomo.momosec
6 | MyTestProject
7 | 1.0.0
8 |
9 | Mosec Maven Plugin Test Project
10 |
11 |
12 |
13 |
14 | com.alibaba
15 | fastjson
16 | 1.2.33
17 |
18 |
19 | junit
20 | junit
21 | 4.13
22 | test
23 |
24 |
25 |
26 |
27 |
28 |
29 | com.immomo.momosec
30 | mosec-maven-plugin
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 | High
41 | False
42 | true
43 | true
44 | https://fake.endpoint.com/
45 | false
46 |
47 |
48 |
49 |
50 |
51 |
--------------------------------------------------------------------------------
/src/test/resources/projects/valid-project/onlyAnalyzeWithoutEndpointPom.xml:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 | com.immomo.momosec
6 | MyTestProject
7 | 1.0.0
8 |
9 | Mosec Maven Plugin Test Project
10 |
11 |
12 |
13 |
14 | com.alibaba
15 | fastjson
16 | 1.2.33
17 |
18 |
19 | junit
20 | junit
21 | 4.13
22 | test
23 |
24 |
25 |
26 |
27 |
28 |
29 | com.immomo.momosec
30 | mosec-maven-plugin
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 | High
41 | False
42 | true
43 | true
44 | false
45 |
46 |
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/src/test/resources/projects/valid-project/pom.xml:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 | com.immomo.momosec
6 | MyTestProject
7 | 1.0.0
8 |
9 | Mosec Maven Plugin Test Project
10 |
11 |
12 |
13 |
14 | com.alibaba
15 | fastjson
16 | 1.2.33
17 |
18 |
19 | junit
20 | junit
21 | 4.13
22 | test
23 |
24 |
25 |
26 |
27 |
28 |
29 | com.immomo.momosec
30 | mosec-maven-plugin
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 | High
41 | False
42 | true
43 | https://fake.endpoint.com/
44 | false
45 |
46 |
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/src/test/resources/projects/vuln-project/pom.xml:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 | com.immomo.momosec
6 | VulnProject
7 | 1.0.0
8 |
9 | Mosec Maven Plugin Vuln Project
10 |
11 |
12 |
13 |
14 | com.alibaba
15 | fastjson
16 | 1.2.33
17 |
18 |
19 |
20 |
21 |
22 |
23 | com.immomo.momosec
24 | mosec-maven-plugin
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 | High
35 | False
36 | true
37 | https://fake.endpoint.com/
38 | false
39 |
40 |
41 |
42 |
43 |
44 |
--------------------------------------------------------------------------------
/static/remote-configuration.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/momosecurity/mosec-maven-plugin/8be2bc7765759b2bf13f6dec5de45cb21b2ed66a/static/remote-configuration.jpg
--------------------------------------------------------------------------------
/static/usage.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/momosecurity/mosec-maven-plugin/8be2bc7765759b2bf13f6dec5de45cb21b2ed66a/static/usage.jpg
--------------------------------------------------------------------------------