This article was originally published on the Red Hat Customer Portal. The information may no longer be current.
The Victims project is a Red Hat initiative that aims to detect known vulnerable dependencies in Java projects and deployments. Our initial focus was Java projects that were built using Maven. The victims-enforcer plug-in for Maven provides developers with immediate feedback if any of their project dependencies contain known vulnerabilities. However, until recently we did not have a good solution for scanning deployments or tools that work outside of a typical build and release cycle. The alpha release of the victims client for Java hopes to fill this gap. The victims client for Java is a simple command line tool that presently has the ability to scan jar files, directories, and pom.xml files for known vulnerabilities. It also allows you to synchronize with the victims project infrastructure and control local settings.
Getting started with the victims client for Java is relatively simple.
- Download the alpha release of the victims tool.
- Build it using the 'mvn clean package' command. You need to have a Java SDK >= 1.5 and Maven installed on your machine.
- Run it: by default, the victims client for Java will compile into a standalone .jar file. This means that you can launch it from the build directory by running '$ java -jar target/victims-client-1.0-SNAPSHOT-standalone.jar'
To simplify the examples we can create an alias:
mkdir ~/.victims
cp target/victims-client*-standlone.jar ~/.victims
alias victims='java -jar $HOME/.victims/victims-client-1.0-SNAPSHOT-standalone.jar'
The goal of this release has been to present a small subset of capabilities to users with the aim of figuring out what additional features people require. The rest of this article will focus on the various use cases for the client tool.
The first and most important step when using the client is to synchronize with the victims Embedded Vulnerability Detection (EVD) service. This will download all the vulnerability definitions from the remote service, which can take a while. To do this you need to specify the '--update' flag when running the client. Specifying '--update' on subsequent runs of the tool will check to make sure that no additional updates are available.
# Getting updates
$ victims --update
Updating EVD definitions:
# Checking last update time
$ victims --db-status
Database last updated on: Mon Dec 16 14:37:48 EST 2013
With the database up to date, it is now possible to scan jar files. If the victims client for Java test ran during the build, then you should have some example files that you can run the scans against in the '.testdata' directory.
To run a scan against a single jar file, simply provide the file name:
$ victims .testdata/org/springframework/spring/2.5.6/spring-2.5.6.jar
.testdata/org/springframework/spring/2.5.6/spring-2.5.6.jar VULNERABLE! CVE-2009-1190 CVE-2011-2730 CVE-2010-1622
You can also recursively scan a directory for known vulnerable artifacts:
# Warning - this will take a while..
$ victims --recursive ~/.m2
/home/gm/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar VULNERABLE! CVE-2012-5783
/home/gm/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar VULNERABLE! CVE-2009-2625
(etc..)
If you use Maven to build your projects, you can also run the victims client for Java across your entire source directory. Any pom.xml files that are detected will have all dependency Group, Artifact, and Version (GAV) information cross checked against the victims database entries.
That covers the main use cases of the tool. We are looking for alpha testers to help improve the capabilities and iron out any bugs. If you do take the time to test this project out, please give us feedback via raising issues on Github, contacting us on #victi.ms on freenode, or via the development mailing list.
Sull'autore
Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.
Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.
Altri risultati simili a questo
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Serie originali
Raccontiamo le interessanti storie di leader e creatori di tecnologie pensate per le aziende
Prodotti
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servizi cloud
- Scopri tutti i prodotti
Strumenti
- Formazione e certificazioni
- Il mio account
- Supporto clienti
- Risorse per sviluppatori
- Trova un partner
- Red Hat Ecosystem Catalog
- Calcola il valore delle soluzioni Red Hat
- Documentazione
Prova, acquista, vendi
Comunica
- Contatta l'ufficio vendite
- Contatta l'assistenza clienti
- Contatta un esperto della formazione
- Social media
Informazioni su Red Hat
Red Hat è leader mondiale nella fornitura di soluzioni open source per le aziende, tra cui Linux, Kubernetes, container e soluzioni cloud. Le nostre soluzioni open source, rese sicure per un uso aziendale, consentono di operare su più piattaforme e ambienti, dal datacenter centrale all'edge della rete.
Seleziona la tua lingua
Red Hat legal and privacy links
- Informazioni su Red Hat
- Opportunità di lavoro
- Eventi
- Sedi
- Contattaci
- Blog di Red Hat
- Diversità, equità e inclusione
- Cool Stuff Store
- Red Hat Summit