victims / victims-enforcer-legacy Goto Github PK

When a config item like the database URL is modified in the rule configuration, enforcer outputs log information, but when the same config item is configured via a system property, there is no logging.

Worse still, if both values have been set, the database config from the rule is logged, but it is the system property which takes precedence!

By the way, you might find it helpful to integrate the logging for victims-lib-java and victims-enforcer.

zanata-maven-plugin uses com.pyx4j:maven-plugin-log4j plus org.slf4j:slf4j-log4j12to allow generic (non-Maven) code in zanata-client-commands to log to Maven's log system by using slf4j calls.

See https://github.com/zanata/zanata-client/blob/client-3.4.0/zanata-maven-plugin/src/main/java/org/zanata/maven/ConfigurableMojo.java#L106 for the setup code.

I'm seeing a strange error with DependencyTreeBuilder.buildDependencyTree(MavenProject project, ArtifactRepository repository, ArtifactFilter filter) which is used in DependencyTreeCollector. Is this just something local to me? Have others been successfully using Maven 3 and Victims?

Running the enforcer plugin under Maven 3 (3.1.1-14 from Fedora in my case) results in the below. The build completes successfully, but no warnings are thrown even when I include a known bad JAR (spring 2.5.6):

java.lang.NoSuchMethodError: org.apache.maven.shared.dependency.tree.DependencyTreeBuilder.buildDependencyTree(Lorg/apache/maven/project/Ma
venProject;Lorg/apache/maven/artifact/repository/ArtifactRepository;Lorg/apache/maven/artifact/resolver/filter/ArtifactFilter;)Lorg/apache/
maven/shared/dependency/tree/DependencyNode;
        at com.redhat.victims.DependencyTreeCollector.gatherArtifacts(ArtifactCollector.java:103)
        at com.redhat.victims.BaseArtifactCollector.getArtifacts(ArtifactCollector.java:83)
        at com.redhat.victims.VictimsRule.execute(VictimsRule.java:88)
        at org.apache.maven.plugins.enforcer.EnforceMojo.execute(EnforceMojo.java:190)
        at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:106)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
        at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:84)
        at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:59)
        at org.apache.maven.lifecycle.internal.LifecycleStarter.singleThreadedBuild(LifecycleStarter.java:183)
        at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:161)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:317)
        at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:152)
        at org.apache.maven.cli.MavenCli.execute(MavenCli.java:555)
        at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:214)
        at org.apache.maven.cli.MavenCli.main(MavenCli.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
        at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
        at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
        at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)

Is it possible to print the path to the victimized dependency when it fails the build due to a vulnerability instead only the name of the dependency?
In some cases it is very difficult to find this dependency.

Github readme implies using Djsse.enableSNIExtension is required but that is not required by default as I understand (as default uses "https://victi.ms").

Also default baseURL doc is incorrect.

Currently if you run this in maven 2 you get the error of:

[ERROR] FATAL ERROR
[INFO] ------------------------------------------------------------------------
[INFO] org.codehaus.plexus.component.configurator.BasicComponentConfigurator cannot be cast to org.codehaus.plexus.component.configurator.ComponentConfigurator
[INFO] ------------------------------------------------------------------------

Is it possible to rearrange the project to work with maven 2?

@AndersOesten mentioned this on ea5c9e1#commitcomment-3358069

: among others is invalid in a windows filename. The cache key currently used is for the format junit:junit:jar:3.8.1 we might want to reconsider either the key or handle this in VictimsResultCache itself.

Is it possible to override the updates value in the pom configuration on the command line other that changing the pom to use a property ? e.g. so I can do
mvn -Dupdates=offline .....

Change to AGPL to be compatible with other victims projects

When using version 1.3.1 of the maven-enforcer-plugin, the victims-enforcer plugin at first appears to work, and it synchronizes with the on-line victi.ms database, but then it fails to detect any vulnerabilities that it really is supposed to detect.

When running mvn with the -e and -X options, the following lines are shown:

[DEBUG] Base pom.xml artifacts - 0
[DEBUG] With reactor project artifacts - 0

Apparently, it does not detect any artifacts at all, vulnerable or not.

Steps to reproduce:

1. Add a vulnerable dependency to the pom, such as:

       <dependency>
           <groupId>org.springframework</groupId>
           <artifactId>spring</artifactId>
           <version>2.5.6</version>
       </dependency>
   

2. Configure the pom to use version 1.3.1 of the maven-enforcer-plugin.

3. Run either mvn clean install or mvn clean package

Expected result:

"VULNERABILITY DETECTED" should be shown

Actual result:

No vulnerabilities are reported after synchronizing with the database.

Workaround:

Downgrade maven-enforcer-plugin to version 1.3 (it appears to work fine with that version).

A project that uses modules and reactor doesn't seem to play well with the enforcer plugin. For example - https://github.com/ryanzhang/jboss-bpm-example-app.

Although I've successfully got enforcer to be invoked for each subproject for Wildfly the project above does not work unless you configure victims for each of the child poms.

I need to determine why enforcer is not being invoked and make either the corresponding code change or document how to use the plugin with a nested project structure.

Dear developers,

First of all, thank you for developing this useful tool.

However, I haven't noticed much activity in this project lately. In fact, with the exception of pull request #33 a few weeks ago, there hasn't been any activity (whether new issues or commits) in years.

Given the fact that there is also the OWASP Dependency-Check Maven plugin, how useful is the victims-enforcer plugin these days? Would there be any increased security by using both plugins side by side, for instance? Given the fact that both plugins need to be configured differently (particularly the proxy settings), which complicates maintenance of our POMs, would such effort still be justified?

Or has the OWASP plugin made the victims-enforcer plugin completely obsolete and redundant?

Are there any known vulnerabilities in the Red Hat Victims database that are not also categorized in the CVE database(s) accessed by the OWASP Dependency-Check plugin?

Please understand that this is not meant to disparage your hard work or to troll you. I genuinely appreciate your important work! But I'd really like to know if it's still worth it to go through the effort of configuring the victims-enforcer plugin in our projects, even though it appears to have been receiving little maintenance lately and there is an alternative out there.

Thanks.

Allow the mode of operation (warning|fatal|disabled) to be configurable based on the dependency scope of the vulnerable artifact. The configuration interface could be implemented a few ways. Off the top of my head, a good way might be to add a "scope" attribute to the "fingerprint" and "metadata" elements. For example, to say that all vulnerable artifacts detected by fingerprint are "fatal" unless they're in the test scope, in which case they are "warning":

<fingerprint>fatal</fingerprint>
<fingerprint scope="test">warning</fingerprint>

i.e. without the scope attribute, the setting applies to all scopes that do not have an explicit setting.

For background:

http://post-office.corp.redhat.com/archives/jboss-integration-platform-developers/2014-May/msg00042.html

Is it possible to print the path to the victimized dependency when it fails the build due to a vulnerability?
In some cases it is very difficult to find this dependency.

When running behind proxy I get an error building sample project with command:
mvn clean package -Djsse.enableSNIExtension=false

[INFO]
+=========================+
|VICTIMS-ENFORCER SETTINGS|
+=========================+
fingerprint = fatal
updates = auto
metadata = warning

[INFO] Last update was on Thu Jan 01 00:00:00 CST 1970. Checking for new vulnera
bilities at http://www.victi.ms/
[WARNING] Rule 0: com.redhat.victims.VictimsRule failed with message:
Failed to sync database

Maven settings are set to recognize proxy and work fine otherwise,

For frequent builds (especially with CI) daily updates might be overkill. Weekly might provide a middle ground.

The enforcer does not catch the following case.

Configuration:

<project ...>

    <dependencies>
        <!-- Struts 2 -->
        <dependency>
            <groupId>org.apache.struts</groupId>
            <artifactId>struts2-core</artifactId>
            <version>2.1.6</version>
        </dependency>

    </dependencies>
</project>

Scan:

$ mvn verify
[...]
[INFO]
+=========================+
|VICTIMS-ENFORCER SETTINGS|
+=========================+
metadata     = warning
fingerprint  = fatal
updates      = auto

[INFO] Last update was on Mon May 04 17:01:16 EDT 2015. Checking for new vulnerabilities at
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 15.542 s
[INFO] Finished at: 2015-05-04T17:05:46-04:00
[INFO] Final Memory: 19M/360M
[INFO] ------------------------------------------------------------------------

It should be marked as vulnerable due to the following CVEs:
2014-0094, 2013-4316, 2013-2251...

Hi victims team,
I am using actively the victims-cve-db unfortunately the enforcer plugin failed on most of my tests. I have create a alternative maven plugin that does verification directly based on versions rather than the intermediary hashes.

• https://github.com/h3xstream/maven-security-versions

I am posting this mainly for full disclosure. I am not looking to do a fork or create something bigger. If the victims team is interested, it could become a "official" victims client.

Smalls differences/additions:

• No dependency to victi.ms website
• No configuration needed
• HTML report

Hi,

I get the error below when I try to run a maven package:

java.lang.NoSuchMethodError: org.apache.maven.shared.dependency.tree.DependencyTreeBuilder.buildDependencyTree(Lorg/apache/maven/project/MavenProject;Lorg/apache/maven/artifact/repository/ArtifactRepository;Lorg/apache/maven/artifact/resolver/filter/ArtifactFilter;)Lorg/apache/maven/shared/dependency/tree/DependencyNode;
at com.redhat.victims.DependencyTreeCollector.gatherArtifacts(ArtifactCollector.java:103)
at com.redhat.victims.BaseArtifactCollector.getArtifacts(ArtifactCollector.java:83)
at com.redhat.victims.VictimsRule.execute(VictimsRule.java:88)
at org.apache.maven.plugins.enforcer.EnforceMojo.execute(EnforceMojo.java:190)

I am using m2e 1.4.1.20140328-1905.

Currently, if the database setup fails, the rule does not report the root cause. An example message would be as shown below. We probably need to improve this a bit.

[WARNING] Rule 0: com.redhat.victims.VictimsRule failed with message:
Could not create a VictimsSQL instance.

Currently, the official Victims database at https://victi.ms uses an SSL certificate issued by StartCom. By default, Java does not have the root certificate for this CA included in its Keystore (neither Java 6 nor Java 7), and as a result the victims-enforcer will fail to synchronize with the on-line database. When running mvn with the -e and -X options, the underlying SSLHandshakeException can be seen.

Please replace the SSL certificate with one from a more reputable source. Not just because Java does not have its root certificate bundled in its keystore by default, but also because StartCom is a company that is distrusted by many people. A crucial security service such as the Red Hat Victims database ought to have a solid SSL certificate, preferably an EV certifcate from a more trusted issuer.

Steps to reproduce:

Run mvn clean install or mvn clean package with either the default implied baseUrl, or explicitly with https://victi.ms or https://www.victi.ms as the baseUrl.

Expected behavior:

The victims-enforcer should successfully synchronize with the database.

Actual behavior:

Maven fails with the following message:

[WARNING] Rule 0: com.redhat.victims.VictimsRule failed with message:
Failed to sync database

Workaround:

Configure the non-SSL http://victi.ms as the baseUrl.

Also, I noticed that the Common Name (CN) in the StartCom certificate is "www.victi.ms" (with a www prefix), which appears inconsistent with https://victi.ms, the baseUrl that we are told to use (and which is currently the default, if I'm not mistaken). Browsers don't appear to have an issue with it, but I'm reporting this additional finding anyway.

Database sync errors should not fail the enforcer build e.g. if the victims infrastructure is undergoing an issue this is not a 'failure' for the artifact build - this leads to a false negative.
We have seen one issue with this on jenkins (from @EricWittmann )

+=========================+
|VICTIMS-ENFORCER SETTINGS|
+=========================+
fingerprint  = fatal
updates      = daily
metadata     = warning

[INFO] Last update was on Thu Jan 01 00:00:00 EST 1970. Checking for new 
vulnerabilities at http://www.victi.ms/
[WARNING] Rule 0: com.redhat.victims.VictimsRule failed with message:
Failed to sync database

Original email thread:

Hi Guys

Sorry if I am being daft or missing something here, but I'm running into a problem with victims. If I take the following project:

https://github.com/ryanzhang/jboss-bpm-example-app

And add the victims-enforcer plugin to the POM, then run mvn package, no vulnerable deps are found. However, the built artifact includes came-core 2.5.0, which is in the victims DB. If I add that dependency directly to the root POM:

org.apache.camel camel-core 2.5.0

Then it is detected. Any ideas?

Hey David,

You're not daft there is something funky going on here with how they use
modules. I've got victims enforcer to work correctly with wildfly before
(who also use modules) so I'm going to have to track down what the
problem is.

I'll let you know what I find.

• Grant.

If you rely on external content that can be invalid it is hard to break the build.
On the other hand it is a severe problem if you want to have a guarantee that the build is OK and actually checked that there are no severe vulnerabilities.
IMHO you should however add an option to your MOJO that allows to just log a fat ERROR message but proceed the build. Otherwise you allow externals to block your build process what is also a vulnerability.
So long I recommend to have victims always in a profile not triggered by default.

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:1.1.1:enforce (enforce-victims-rule) on project ****: Execution enforce-victims-rule of goal org.apache.maven.plugins:maven-enforcer-plugin:1.1.1:enforce failed: com.google.gson.stream.MalformedJsonException: Unterminated string at line 75 column 112806 -> [Help 1]

I have an issue that the plugins does not seem to use the system-configured http_proxy. I've tested to set it in the environment in several ways but it seams that it not used unless you define it on the command line.

FAILING:

mvn clean package -Djsse.enableSNIExtension=false
[INFO] Last update was on Tue Sep 24 09:27:01 CEST 2013. Checking for new vulnerabilities at http://www.victi.ms/
[WARNING] Rule 0: com.redhat.victims.VictimsRule failed with message:
Failed to sync database
[INFO] ------------------------------------------------------------------------
[ERROR] BUILD ERROR

WORKING:

mvn clean package -Djsse.enableSNIExtension=false -Dhttp.proxyHost=proxy1.example.com -Dhttp.proxyPort=8181

SETUP:

env | grep proxy
http_proxy=http://proxy1.example.com:8181/

$ git rev-parse HEAD
63342aff3de82b3ad7789911605e56f579593569

$ mvn clean compile jar:jar -U
...
[WARNING] The POM for com.redhat.victims:enforce-victims-rule:jar:1.3.4-SNAPSHOT is missing, no dependency information available
Downloading: http://repository.apache.org/snapshots/com/redhat/victims/enforce-victims-rule/1.3.4-SNAPSHOT/enforce-victims-rule-1.3.4-SNAPSHOT.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.984 s
[INFO] Finished at: 2017-12-11T12:42:30+05:30
[INFO] Final Memory: 12M/293M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:1.3.1:enforce (enforce-victims-rule) on project sample: Execution enforce-victims-rule of goal org.apache.maven.plugins:maven-enforcer-plugin:1.3.1:enforce failed: Plugin org.apache.maven.plugins:maven-enforcer-plugin:1.3.1 or one of its dependencies could not be resolved: Could not find artifact com.redhat.victims:enforce-victims-rule:jar:1.3.4-SNAPSHOT in apache.snapshots (http://repository.apache.org/snapshots) -> [Help 1]

The key error message is Could not find artifact com.redhat.victims:enforce-victims-rule:jar:1.3.4-SNAPSHOT in apache.snapshots.

Here is a patch to fix this build problem,

diff --git a/sample/pom.xml b/sample/pom.xml
index d2f161f..d31d429 100644
--- a/sample/pom.xml
+++ b/sample/pom.xml
@@ -49,7 +49,7 @@
           <dependency>
             <groupId>com.redhat.victims</groupId>
             <artifactId>enforce-victims-rule</artifactId>
-            <version>1.3.4-SNAPSHOT</version>
+            <version>1.3.4</version>
           </dependency>
         </dependencies>
         <executions>

victims/victims-web#42 (comment)

Tested against working server. Looks like the first insert is failing.

[INFO] The dependency spring-2.5.6 matches a vulnerability recorded in the victims database. [[CVE-2009-1190, CVE-2011-2730, CVE-2010-1622]]
[WARNING] Rule 0: com.redhat.victims.VictimsRule failed with message:

+=======================+
|VULNERABILITY DETECTED!|
+=======================+
For more information visit https://access.redhat.com/security/cve/[CVE-2009-1190, CVE-2011-2730, CVE-2010-1622]

The first occurrence looks alright apart from the extract brackets. For the CVE links, it might be handy to list them as a list of click-able URIs.