-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
233 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
name: ci | ||
|
||
on: | ||
push: | ||
schedule: | ||
- cron: '0 9 * * *' # Run every day at 9am UTC | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- name: Set up JDK 18 for x64 | ||
uses: actions/setup-java@v3 | ||
with: | ||
java-version: '18' | ||
distribution: 'temurin' | ||
architecture: x64 | ||
|
||
- name: Install | ||
run: mvn -B clean install | ||
|
||
- name: Package | ||
run: mvn package | ||
|
||
- name: Install FOSSA CLI | ||
run: | | ||
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash | ||
- name: Check FOSSA CLI Version | ||
run: fossa -V | ||
|
||
- name: Run Analysis (in debug mode) (and output mode) | ||
run: fossa analyze -o --debug |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
target | ||
fossa.debug.json | ||
fossa.debug.json.gz | ||
fossa.telemetry.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
{ | ||
"java.configuration.updateBuildConfiguration": "interactive" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,23 @@ | ||
# reachability-with-maven-example | ||
# reachability-with-maven-example | ||
|
||
This repository includes example project for reachability walkthrough. | ||
|
||
- You will need jdk8+ installed (`java` must be in PATH) | ||
- You will need maven installed (`mvn` must be in PATH) | ||
|
||
```bash | ||
# Install fossa-cli | ||
; curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash | ||
|
||
# Check fossa-cli version | ||
; fossa --version | ||
|
||
# Build project (required) | ||
; mvn package | ||
|
||
# Run Analysis | ||
# Docs: https://github.com/fossas/fossa-cli | ||
; fossa analyze --project reachability-with-maven-example --fossa-api-key MY_FOSSA_API_KEY | ||
``` | ||
|
||
You can also refer to example in our [CI](./.github/workflows/ci.yml). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
|
||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | ||
<modelVersion>4.0.0</modelVersion> | ||
|
||
<groupId>com.example.app</groupId> | ||
<artifactId>example</artifactId> | ||
<version>1.1</version> | ||
<name>example-artifact-name</name> | ||
<url>https://fossa.com</url> | ||
|
||
<properties> | ||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> | ||
<maven.compiler.source>1.8</maven.compiler.source> | ||
<maven.compiler.target>1.8</maven.compiler.target> | ||
</properties> | ||
|
||
<licenses> | ||
<license> | ||
<name>Apache License, Version 2.0</name> | ||
<url>https://www.apache.org/licenses/LICENSE-2.0.txt</url> | ||
<distribution>repo</distribution> | ||
<comments>A business-friendly OSS license</comments> | ||
</license> | ||
</licenses> | ||
|
||
<repositories> | ||
<repository> | ||
<snapshots> | ||
<enabled>false</enabled> | ||
</snapshots> | ||
<id>central</id> | ||
<name>Maven Repository Switchboard</name> | ||
<url>http://repo1.maven.org/maven2</url> | ||
</repository> | ||
</repositories> | ||
|
||
<dependencies> | ||
<dependency> | ||
<groupId>junit</groupId> | ||
<artifactId>junit</artifactId> | ||
<version>4.11</version> | ||
<scope>test</scope> | ||
</dependency> | ||
<dependency> <!-- has cve --> | ||
<groupId>org.dom4j</groupId> | ||
<artifactId>dom4j</artifactId> | ||
<version>2.1.0</version> | ||
</dependency> | ||
<dependency> <!-- has cve --> | ||
<groupId>com.google.guava</groupId> | ||
<artifactId>guava</artifactId> | ||
<version>28.1-jre</version> | ||
</dependency> | ||
|
||
</dependencies> | ||
|
||
<build> | ||
<pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) --> | ||
<plugins> | ||
<!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle --> | ||
<plugin> | ||
<artifactId>maven-clean-plugin</artifactId> | ||
<version>3.1.0</version> | ||
</plugin> | ||
<!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging --> | ||
<plugin> | ||
<artifactId>maven-resources-plugin</artifactId> | ||
<version>3.0.2</version> | ||
</plugin> | ||
<plugin> | ||
<artifactId>maven-compiler-plugin</artifactId> | ||
<version>3.8.0</version> | ||
</plugin> | ||
<plugin> | ||
<artifactId>maven-surefire-plugin</artifactId> | ||
<version>2.22.1</version> | ||
</plugin> | ||
<plugin> | ||
<artifactId>maven-jar-plugin</artifactId> | ||
<version>3.0.2</version> | ||
</plugin> | ||
<plugin> | ||
<artifactId>maven-install-plugin</artifactId> | ||
<version>2.5.2</version> | ||
</plugin> | ||
<plugin> | ||
<artifactId>maven-deploy-plugin</artifactId> | ||
<version>2.8.2</version> | ||
</plugin> | ||
<!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle --> | ||
<plugin> | ||
<artifactId>maven-site-plugin</artifactId> | ||
<version>3.7.1</version> | ||
</plugin> | ||
<plugin> | ||
<artifactId>maven-project-info-reports-plugin</artifactId> | ||
<version>3.0.0</version> | ||
</plugin> | ||
</plugins> | ||
</pluginManagement> | ||
</build> | ||
</project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
package com.example.app; | ||
|
||
import java.net.URI; | ||
import java.net.URL; | ||
import com.example.app.utils.SomeOtherReader; | ||
|
||
// org.dom4j (CVE-2020-10683) | ||
// --------------------------- | ||
// dom4j before 2.0.3 and 2.1.x before 2.1.3 allows | ||
// external DTDs and External Entities by default, which might enable XXE attacks | ||
import org.dom4j.Document; | ||
import org.dom4j.DocumentException; | ||
import org.dom4j.io.SAXReader; | ||
|
||
public class App | ||
{ | ||
public static void main(String[] args) throws Exception { | ||
URL url = new URI(args[0]).toURL(); | ||
System.out.println(parse(url)); | ||
System.out.println(SomeOtherReader.parse(url)); | ||
} | ||
|
||
public static Document parse(URL url) throws DocumentException { | ||
SAXReader reader = new SAXReader(); | ||
Document document = reader.read(url); | ||
return document; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
package com.example.app.utils; | ||
|
||
import java.net.URL; | ||
import org.dom4j.Document; | ||
import org.dom4j.DocumentException; | ||
import org.dom4j.jaxb.JAXBReader; | ||
import com.google.common.io.Files; | ||
import com.google.common.base.Charsets; | ||
import java.io.File; | ||
|
||
public class SomeOtherReader | ||
{ | ||
@SuppressWarnings("deprecation") | ||
public static Document parse(URL url) throws DocumentException, java.io.IOException { | ||
// Example usage of com.google.common.io.* | ||
File addrFile = new File("config.txt"); | ||
String missingFileContent = Files.toString(addrFile, Charsets.UTF_8); | ||
System.out.println(missingFileContent); | ||
|
||
// Example usage of org.dom4j.jaxb.JAXBReader | ||
JAXBReader reader = new JAXBReader("some context path that is incorrect"); | ||
Document document = reader.read(url); | ||
return document; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
package com.example.app; | ||
import static org.junit.Assert.assertTrue; | ||
import org.junit.Test; | ||
|
||
public class AppTest | ||
{ | ||
@Test | ||
public void shouldAnswerWithTrue() | ||
{ | ||
assertTrue(true); | ||
} | ||
} |