GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → momosecurity → mosec-maven-plugin

momosecurity / mosec-maven-plugin

Licence: Apache-2.0 license
用于检测maven项目的第三方依赖组件是否存在安全漏洞。

Programming Languages

java
68154 projects - #9 most used programming language

Labels

mavenmaven-pluginscasecurity-toolsdependency-management

Projects that are alternatives of or similar to mosec-maven-plugin

Docker Maven Plugin
INACTIVE: A maven plugin for Docker
Stars: ✭ 2,597 (+2955.29%)
Mutual labels:  maven, maven-plugin
snyk-maven-plugin
Test and monitor your projects for vulnerabilities with Maven. This plugin is officially maintained by Snyk.
Stars: ✭ 64 (-24.71%)
Mutual labels:  maven, maven-plugin
markdown-page-generator-plugin
Markdown to HTML Page Generator Maven Plugin
Stars: ✭ 48 (-43.53%)
Mutual labels:  maven, maven-plugin
Sortpom
Maven plugin that helps the user sort pom.xml.
Stars: ✭ 185 (+117.65%)
Mutual labels:  maven, maven-plugin
plexus-compiler
Plexus compiler a layer on top of compilers and used by maven-compiler-plugin
Stars: ✭ 24 (-71.76%)
Mutual labels:  maven, maven-plugin
Formatter Maven Plugin
Formatter Maven Plugin
Stars: ✭ 187 (+120%)
Mutual labels:  maven, maven-plugin
macosappbundler-maven-plugin
Maven plugin for creating a native macOS bundle containing all dependencies required by a Maven project
Stars: ✭ 35 (-58.82%)
Mutual labels:  maven, maven-plugin
Jgitver Maven Plugin
maven core extension to automatically define versions using jgitver & git tags
Stars: ✭ 117 (+37.65%)
Mutual labels:  maven, maven-plugin
dmn-check
A tool which performs static analyses on Decision Model Notation (DMN) files to detect bugs
Stars: ✭ 34 (-60%)
Mutual labels:  maven, maven-plugin
mvn-jlink
Maven plugin to provide way to work with jlink tool in maven projects
Stars: ✭ 34 (-60%)
Mutual labels:  maven, maven-plugin
Maven Git Versioning Extension
This extension will virtually set project versions, based on current git branch or tag.
Stars: ✭ 178 (+109.41%)
Mutual labels:  maven, maven-plugin
jcabi-mysql-maven-plugin
MySQL Maven Plugin: starts MySQL server on pre-integration phase and shuts it down on post-integration phase
Stars: ✭ 34 (-60%)
Mutual labels:  maven, maven-plugin
Gatling Maven Plugin Demo
Showcase of the Gatling Plugin for Maven
Stars: ✭ 162 (+90.59%)
Mutual labels:  maven, maven-plugin
Versions Maven Plugin
Versions Maven Plugin
Stars: ✭ 199 (+134.12%)
Mutual labels:  maven, maven-plugin
Jib
🏗 Build container images for your Java applications.
Stars: ✭ 11,370 (+13276.47%)
Mutual labels:  maven, maven-plugin
mvn scalafmt
Scalafmt plugin for maven
Stars: ✭ 14 (-83.53%)
Mutual labels:  maven, maven-plugin
Git Commit Id Maven Plugin
Maven plugin which includes build-time git repository information into an POJO / *.properties). Make your apps tell you which version exactly they were built from! Priceless in large distributed deployments... :-)
Stars: ✭ 1,187 (+1296.47%)
Mutual labels:  maven, maven-plugin
Flatten Maven Plugin
Flatten Maven Plugin
Stars: ✭ 82 (-3.53%)
Mutual labels:  maven, maven-plugin
gatling-maven-plugin
Gatling Plugin for Maven
Stars: ✭ 30 (-64.71%)
Mutual labels:  maven, maven-plugin
dependency-update-maven-plugin
A Maven plugin that creates merge requests for dependency updates.
Stars: ✭ 23 (-72.94%)
Mutual labels:  maven, maven-plugin
View All Similar Projects ➔

MOSEC-MAVEN-PLUGIN

用于检测maven项目的第三方依赖组件是否存在安全漏洞。

该项目是基于 snyk-maven-plugin 的二次开发。

关于我们

Website:https://security.immomo.com

WeChat:


版本要求

Maven >= 3.1

安装

向pom.xml中添加plugin仓库 (项目级安装)

<!-- pom.xml -->

<pluginRepositories>
  <pluginRepository>
      <id>gh</id>
      <url>https://raw.githubusercontent.com/momosecurity/mosec-maven-plugin/master/mvn-repo/</url>
  </pluginRepository>
</pluginRepositories>

向maven配置中添加plugin仓库 (全局安装)

<!-- settings.xml -->

<!-- 添加pluginGroup可简化命令行参数 -->
<pluginGroups>
    <pluginGroup>com.immomo.momosec</pluginGroup>
</pluginGroups>

<profiles>
    <profile>
      <id>momo-plugin</id>
      <pluginRepositories>
        <pluginRepository>
            <id>gh</id>
            <url>https://raw.githubusercontent.com/momosecurity/mosec-maven-plugin/master/mvn-repo/</url>
        </pluginRepository>
      </pluginRepositories>
    </profile>
</profiles>

<activeProfiles>
    <activeProfile>momo-plugin</activeProfile>
</activeProfiles>

使用

首先运行 MOSEC-X-PLUGIN Backend

命令行使用

> cd your_maven_project_dir/

> MOSEC_ENDPOINT=http://127.0.0.1:9000/api/plugin \
  mvn com.immomo.momosec:mosec-maven-plugin:1.0.7:test \
  -DonlyProvenance=true \
  -Dseverity=High

// 或简化方式

> MOSEC_ENDPOINT=http://127.0.0.1:9000/api/plugin \
  mvn mosec:test -DonlyProvenance=true -Dseverity=High

项目中使用

<!-- pom.xml -->

<plugins>
    <plugin>
        <groupId>com.immomo.momosec</groupId>
        <artifactId>mosec-maven-plugin</artifactId>
        <version>1.0.8</version>
        <executions>
            <execution>
                <id>test</id>
                <goals>
                    <goal>test</goal>  <!-- test过程执行 -->
                </goals>
            </execution>
        </executions>
        <configuration>
            <endpoint>http://127.0.0.1:9000/api/plugin</endpoint>
            <severityLevel>High</severityLevel>
            <onlyProvenance>true</onlyProvenance>
            <failOnVuln>true</failOnVuln>
        </configuration>
    </plugin>
</plugins>

帮助

> mvn mosec:help -Ddetail=true

mosec:test

  Available parameters:

    endpoint
      上报API
      User property: endpoint

    failOnVuln (Default: true)
      发现漏洞即编译失败
      User property: failOnVuln

    includeProvidedDependency (Default: false)
      是否包含Provided Scope依赖
      User property: includeProvidedDependency

    onlyAnalyze (Default: false)
      仅分析依赖,不上报
      User property: onlyAnalyze

    onlyProvenance (Default: false)
      仅检查直接依赖
      User property: onlyProvenance

    outputDepToFile (Default: )
      输出依赖树到文件。设置-DonlyAnalyze=true仅输出依赖树,否则输出依赖树及漏洞检查结果
      User property: outputDepToFile

    severityLevel (Default: High)
      威胁等级 [High|Medium|Low]
      User property: severity

使用效果

以 src/test/resources/projects/vuln-project 项目为例。

[WARNING] 部分给出漏洞警告,Path: 为漏洞依赖链,Fix version 为组件安全版本。

程序返回值为1,表示发现漏洞。返回值为0,即为未发现问题。

usage

检测原理

MOSEC-MAVEN-PLUGIN使用org.apache.maven:maven-core组件中提供的aether-api提取依赖并构建依赖树。

该方法可以准确提取maven项目所使用的依赖,以及确定的依赖版本。

最终依赖树会交由 MOSEC-X-PLUGIN-BACKEND 检测服务进行检测,并返回结果。

相关数据结构请参考 MOSEC-X-PLUGIN-BACKEND README.md.

开发

Intellij 远程调试 Maven 插件

1.将mosec-maven-plugin拉取至本地仓库

2.git clone mosec-maven-plugin 源码

3.Intellij 打开mosec-maven-plugin项目,新建 Remote Configuration 并填入如下信息

remote-configuration

4.在另一个maven工程中执行如下命令

> mvnDebug com.immomo.momosec:mosec-maven-plugin:1.0.8:test

5.回到Intellij中,下断点,开始Debug

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].