This repo contains some projects that demonstrate the presence of some known vulnerabilities in libraries. This can be used as input for security analyses in related libraries. A key feature is that the vulnerabilities are testable, and the projects follow a structure that makes them easy to refactor if the analysis requires it. Projects also contain the reports produced by some SCA tools -- this can be used to check those tools for soundness / recall , using the testable projects as oracles.
Each project is named CVE*, uses the standard Maven repository layout, and has a single test. If this test succeeds, the vulnerability refered to by the CVE in the name is present.
The pom.xml defines / should define the Java version to be used by setting the <maven.compiler.target> and <maven.compiler.source> properties, in most case this is set to 11.
Some tests may have additional requirements wrt Java version and OS, those are enforced by JUNit preconditions. When those fail, the respective test(s) will be skipped. I.e. the presence of a vulnerability is shown by all tests passing, and not by none of the tests failing. I.e. mvn test succeeded is not sufficient, surefire reports (in target/surefire) must be inspected to ensure that no test was skipped.
Each project points to a vulnerability in a Maven artifact. This artifact can be found in the dependency section in pom.xml. Note that there is always an additional dependency to junit5 which is used for testing.
The projects can be used to test various SCA tools as follows:
The analysis is run on GitHub, check the dependabopt result page for the projects detected as being vulnerable.
To run the check locally via the CLI, follow instructions to install the tool, the run the following command from a terminal after CDiing into the project folder:
dependency-check -scan . -f CSV (some other output formats are supported as well)
Scan results are committed to the repo, the reports are generated by running
dependency-check -scan . -f JSON -o scan-results/dependency-check -prettyPrint
and are available in <project>/scan-results/dependency-check/.
For Maven projects, you can use the Dependency Check Maven plugin with this command:
mvn org.owasp:dependency-check-maven:8.2.1:check -Dformat=json -DprettyPrint=true -Dodc.outputDirectory=scan-results/dependency-check
Follow the instructions to install snyk, then run snyk auth before using it for the first time.
After succesful authentication, run snyk test in each project folder.
Scan results are committed to the repo, the reports are generated by running
snyk test --json --json-file-output=scan-results/snyk/snyk-report.json
and are available in <project>/scan-results/snyk/.
IntelliJ has built-in support to detect vulnerable dependencies. To run this analysis requires to load the respective projects into the IDE. Then click on the project's pom.xml, and run Analyze > Show Vulnerable Dependencies. This will display a view with vulnerable dependencies.
This functionality is based on checkmarx.
Setup the Eclipse Steady backend (database servers/web frontend) as described in the guide, which requires docker-compose. CLI and maven plugin analysis clients are available, as described below.
Change to the <project> directory and run the analysis using mvn org.eclipse.steady:plugin-maven:3.2.5:app and then generate the report by running mvn org.eclipse.steady:plugin-maven:3.2.5:report -Dvulas.report.reportDir=$(pwd)/scan-results/steady
Then update, ./steady-cli/steady-custom.properties for the project to be analysed. To do this, update the value of the property, vulas.core.app.sourceDir. This value should be the absolute path to the <project> directory for analysis. Download dependencies for the project by running mvn dependency:copy-dependencies. Then change to the directory ./steady-cli and run:
java -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal app
This runs the analysis and posts the data to the backend. The reports are generated by running
java -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal report
and are available in ./steady-cli/vulas/report.
The report directory can be changed by modifying the property, vulas.report.reportDir in ``./steady-cli/steady-custom.properties`
The security tools use an evolving database, so generally, re-running a scan may return more vulnerabilties than reported. Check the respective reports for meta data such as versions, and the commit dates for the database that was used.