Skip to content

jensdietrich/xshady

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

xshady - – a collection of proof-of-vulnerabilities for common Vulnerabilities in Java

This repo contains some projects that demonstrate the presence of some known vulnerabilities in libraries. This can be used as input for security analyses in related libraries. A key feature is that the vulnerabilities are testable, and the projects follow a structure that makes them easy to refactor if the analysis requires it. Projects also contain the reports produced by some SCA tools -- this can be used to check those tools for soundness / recall , using the testable projects as oracles.

Project Structure

Each project is named CVE*, uses the standard Maven repository layout, and has a single test. If this test succeeds, the vulnerability refered to by the CVE in the name is present.

The pom.xml defines / should define the Java version to be used by setting the <maven.compiler.target> and <maven.compiler.source> properties, in most case this is set to 11.

Some tests may have additional requirements wrt Java version and OS, those are enforced by JUNit preconditions. When those fail, the respective test(s) will be skipped. I.e. the presence of a vulnerability is shown by all tests passing, and not by none of the tests failing. I.e. mvn test succeeded is not sufficient, surefire reports (in target/surefire) must be inspected to ensure that no test was skipped.

Each project points to a vulnerability in a Maven artifact. This artifact can be found in the dependency section in pom.xml. Note that there is always an additional dependency to junit5 which is used for testing.

Running Software Composition Security Analyses

The projects can be used to test various SCA tools as follows:

Dependabot

The analysis is run on GitHub, check the dependabopt result page for the projects detected as being vulnerable.

OWASP Dependency Check

To run the check locally via the CLI, follow instructions to install the tool, the run the following command from a terminal after CDiing into the project folder:

dependency-check -scan . -f CSV (some other output formats are supported as well)

Scan results are committed to the repo, the reports are generated by running

dependency-check -scan . -f JSON -o scan-results/dependency-check -prettyPrint

and are available in <project>/scan-results/dependency-check/.

For Maven projects, you can use the Dependency Check Maven plugin with this command: mvn org.owasp:dependency-check-maven:8.2.1:check -Dformat=json -DprettyPrint=true -Dodc.outputDirectory=scan-results/dependency-check

Snyk

Follow the instructions to install snyk, then run snyk auth before using it for the first time.

After succesful authentication, run snyk test in each project folder.

Scan results are committed to the repo, the reports are generated by running

snyk test --json --json-file-output=scan-results/snyk/snyk-report.json

and are available in <project>/scan-results/snyk/.

IntelliJ IDEA 2022.2 (Ultimate Edition) / CheckMarx

IntelliJ has built-in support to detect vulnerable dependencies. To run this analysis requires to load the respective projects into the IDE. Then click on the project's pom.xml, and run Analyze > Show Vulnerable Dependencies. This will display a view with vulnerable dependencies.

This functionality is based on checkmarx.

Eclipse Steady

Setup the Eclipse Steady backend (database servers/web frontend) as described in the guide, which requires docker-compose. CLI and maven plugin analysis clients are available, as described below.

Maven plugin

Change to the <project> directory and run the analysis using mvn org.eclipse.steady:plugin-maven:3.2.5:app and then generate the report by running mvn org.eclipse.steady:plugin-maven:3.2.5:report -Dvulas.report.reportDir=$(pwd)/scan-results/steady

CLI

Then update, ./steady-cli/steady-custom.properties for the project to be analysed. To do this, update the value of the property, vulas.core.app.sourceDir. This value should be the absolute path to the <project> directory for analysis. Download dependencies for the project by running mvn dependency:copy-dependencies. Then change to the directory ./steady-cli and run:

java -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal app

This runs the analysis and posts the data to the backend. The reports are generated by running

java -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal report

and are available in ./steady-cli/vulas/report.

The report directory can be changed by modifying the property, vulas.report.reportDir in ``./steady-cli/steady-custom.properties`

A Note on Reproducibility

The security tools use an evolving database, so generally, re-running a scan may return more vulnerabilties than reported. Check the respective reports for meta data such as versions, and the commit dates for the database that was used.