PMD
PMD is a source code analyzer tool, but also have Copy/Paste Detector tool (CPD). https://maven.apache.org/plugins/maven-pmd-plugin/index.html
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
...
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.11.0</version>
<executions>
<execution>
<goals>
<goal>check</goal>
<goal>cpd-check</goal>
</goals>
</execution>
</executions>
</plugin>
...
</plugins>
</build>
</project>
Reference
- https://maven.apache.org/plugins/maven-pmd-plugin/plugin-info.html
- https://maven.apache.org/plugins/maven-pmd-plugin/examples/violationChecking.html
- https://docs.sonarqube.org/display/PLUG/Importing+SpotBugs%2C+FindSecBugs%2C+PMD%2C+Checkstyle+Issues+Reports
OWASP Dependency Check
Scan dependencies for known CVE against National Vulnerability Database, NVD.
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
...
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>3.3.4</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
...
</plugins>
</build>
</project>
Reference
SpotBugs
"SpotBugs is a program to find bugs in Java programs. It looks for instances of “bug patterns” — code instances that are likely to be errors." https://spotbugs.readthedocs.io/en/latest/introduction.html
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
...
<build>
<plugins>
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>3.1.7</version>
<configuration>
<effort>Max</effort>
<threshold>Low</threshold>
<failOnError>true</failOnError>
<includeFilterFile>${project.basedir}/spotbugs-security-include.xml</includeFilterFile>
<excludeFilterFile>${project.basedir}/spotbugs-security-exclude.xml</excludeFilterFile>
<plugins>
<plugin>
<groupId>com.h3xstream.findsecbugs</groupId>
<artifactId>findsecbugs-plugin</artifactId>
<version>LATEST</version> <!-- Auto-update to the latest stable -->
</plugin>
</plugins>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
Reference
- https://github.com/find-sec-bugs/find-sec-bugs/wiki/Maven-configuration
- https://spotbugs.readthedocs.io/en/latest/maven.html
- https://find-sec-bugs.github.io/tutorials.htm
BDD
"The framework is essentially a set of Cucumber-JVM features that are pre-wired with Selenium/WebDriver, OWASP ZAP, SSLyze and Tennable's Nessus scanner." https://github.com/continuumsecurity/bdd-security
# Test App
$ wget https://github.com/continuumsecurity/RopeyTasks/raw/master/ropeytasks.jar
$ java -jar ropeytasks.jar
# Download framework and run extensive test
$ git clone https://github.com/continuumsecurity/bdd-security.git
$ ./gradlew
No comments:
Post a Comment