wip: add example

.github/workflows/ci.yml

@@ -0,0 +1,34 @@
+name: ci
+
+on:
+    push:
+    schedule:
+      - cron: '0 9 * * *'  # Run every day at 9am UTC
+
+jobs:
+    build:  
+      runs-on: ubuntu-latest
+      steps:
+          - uses: actions/checkout@v4
+          - name: Set up JDK 18 for x64
+            uses: actions/setup-java@v3
+            with:
+                java-version: '18'
+                distribution: 'temurin'
+                architecture: x64
+
+          - name: Install
+            run: mvn -B clean install
+
+          - name: Package
+            run: mvn package
+
+          - name: Install FOSSA CLI
+            run: |
+                curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
+
+          - name: Check FOSSA CLI Version
+            run: fossa -V
+
+          - name: Run Analysis (in debug mode) (and output mode)
+            run: fossa analyze -o --debug

.gitignore

@@ -0,0 +1,4 @@
+target
+fossa.debug.json
+fossa.debug.json.gz
+fossa.telemetry.json

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "java.configuration.updateBuildConfiguration": "interactive"
+}

README.md

@@ -1 +1,23 @@
-# reachability-with-maven-example
+# reachability-with-maven-example
+
+This repository includes example project for reachability walkthrough.
+
+- You will need jdk8+ installed (`java` must be in PATH)
+- You will need maven installed (`mvn` must be in PATH)
+
+```bash
+# Install fossa-cli
+; curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
+
+# Check fossa-cli version
+; fossa --version
+
+# Build project (required)
+; mvn package
+
+# Run Analysis
+# Docs: https://github.com/fossas/fossa-cli
+; fossa analyze --project reachability-with-maven-example --fossa-api-key MY_FOSSA_API_KEY
+```
+
+You can also refer to example in our [CI](./.github/workflows/ci.yml).

pom.xml

@@ -0,0 +1,104 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.example.app</groupId>
+  <artifactId>example</artifactId>
+  <version>1.1</version>
+  <name>example-artifact-name</name>
+  <url>https://fossa.com</url>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.source>1.8</maven.compiler.source>
+    <maven.compiler.target>1.8</maven.compiler.target>
+  </properties>
+
+  <licenses>
+    <license>
+      <name>Apache License, Version 2.0</name>
+      <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
+      <distribution>repo</distribution>
+      <comments>A business-friendly OSS license</comments>
+    </license>
+  </licenses>
+
+  <repositories>
+    <repository>
+      <snapshots>
+        <enabled>false</enabled>
+      </snapshots>
+      <id>central</id>
+      <name>Maven Repository Switchboard</name>
+      <url>http://repo1.maven.org/maven2</url>
+    </repository>
+  </repositories>
+
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.11</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency> <!-- has cve -->
+      <groupId>org.dom4j</groupId>
+      <artifactId>dom4j</artifactId>
+      <version>2.1.0</version>
+    </dependency>
+    <dependency> <!-- has cve -->
+        <groupId>com.google.guava</groupId>
+        <artifactId>guava</artifactId>
+        <version>28.1-jre</version>
+    </dependency>
+
+  </dependencies>
+
+  <build>
+    <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
+      <plugins>
+        <!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
+        <plugin>
+          <artifactId>maven-clean-plugin</artifactId>
+          <version>3.1.0</version>
+        </plugin>
+        <!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
+        <plugin>
+          <artifactId>maven-resources-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-compiler-plugin</artifactId>
+          <version>3.8.0</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-surefire-plugin</artifactId>
+          <version>2.22.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-jar-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-install-plugin</artifactId>
+          <version>2.5.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-deploy-plugin</artifactId>
+          <version>2.8.2</version>
+        </plugin>
+        <!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
+        <plugin>
+          <artifactId>maven-site-plugin</artifactId>
+          <version>3.7.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-project-info-reports-plugin</artifactId>
+          <version>3.0.0</version>
+        </plugin>
+      </plugins>
+    </pluginManagement>
+  </build>
+</project>

src/main/java/com/example/app/App.java

@@ -0,0 +1,28 @@
+package com.example.app;
+
+import java.net.URI;
+import java.net.URL;
+import com.example.app.utils.SomeOtherReader;
+
+// org.dom4j (CVE-2020-10683)
+// ---------------------------
+// dom4j before 2.0.3 and 2.1.x before 2.1.3 allows 
+// external DTDs and External Entities by default, which might enable XXE attacks
+import org.dom4j.Document;
+import org.dom4j.DocumentException;
+import org.dom4j.io.SAXReader;
+
+public class App 
+{
+    public static void main(String[] args) throws Exception {
+        URL url = new URI(args[0]).toURL();
+        System.out.println(parse(url));
+        System.out.println(SomeOtherReader.parse(url));
+    }
+
+    public static Document parse(URL url) throws DocumentException {
+        SAXReader reader = new SAXReader();
+        Document document = reader.read(url);
+        return document;
+    }
+}

src/main/java/com/example/app/utils/SomeOtherReader.java

@@ -0,0 +1,25 @@
+package com.example.app.utils;
+
+import java.net.URL;
+import org.dom4j.Document;
+import org.dom4j.DocumentException;
+import org.dom4j.jaxb.JAXBReader;
+import com.google.common.io.Files;
+import com.google.common.base.Charsets;
+import java.io.File;
+
+public class SomeOtherReader 
+{
+    @SuppressWarnings("deprecation")
+    public static Document parse(URL url) throws DocumentException, java.io.IOException {
+        // Example usage of com.google.common.io.*
+        File addrFile = new File("config.txt");
+        String missingFileContent = Files.toString(addrFile, Charsets.UTF_8);
+        System.out.println(missingFileContent);
+
+        // Example usage of org.dom4j.jaxb.JAXBReader
+        JAXBReader reader = new JAXBReader("some context path that is incorrect");
+        Document document = reader.read(url);
+        return document;
+    }
+}

src/test/java/com/example/app/AppTest.java

@@ -0,0 +1,12 @@
+package com.example.app;
+import static org.junit.Assert.assertTrue;
+import org.junit.Test;
+
+public class AppTest 
+{
+    @Test
+    public void shouldAnswerWithTrue()
+    {
+        assertTrue(true);
+    }
+}