Merge branch 'master' into slicing

Author: serenaponta

.github/ISSUE_TEMPLATE/bug_report.md

@@ -27,8 +27,8 @@ In case of bugs happening on the client (when performing scans):
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 
-**Vulas version**
-- Vulas version (release and commit)
+**Steady version**
+- Steady version (release and commit)
 
 **In case of bugs in a Web frontend**
 - Browser type and version [e.g. chrome, safari]
@@ -37,7 +37,7 @@ A clear and concise description of what you expected to happen.
 **In case of bugs happening on the client (when performing scans)**
 - OS/version
 - Java JVM/version or Python version
-- Vulas client (Maven plugin, Gradle plugin, CLI, setuptools plugin)
+- Steady client (Maven plugin, Gradle plugin, CLI, setuptools plugin)
 - Console log(s) (with confidential information removed)
 - URL of a public repo that can be used for reproducing (minimal example if possible)
 

.gitignore

@@ -40,3 +40,6 @@ kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/files/t
 /docker/**/import_vulas_kb.sh
 google-java-format-*.jar
 .DS_Store
+docker/kb-importer/data/**
+**/*.buildinfo
+docker/kb-importer/data/**

.pipeline/config.yml

@@ -31,7 +31,7 @@ Files: lib/changedistiller-0.0.4-SNAPSHOT.jar
 Copyright: 2011-2013 Software Architecture and Evolution Lab, Department of Informatics, UZH
 License: Apache-2.0
 
-Files: lib/dependency-finder-1.2.1-beta5.jar
+Files: lib/dependency-finder-1.2.1-beta5-log4j.jar
 Copyright: 2001-2009 Jean Tessier
 License: BSD-3-Clause
 

.reuse/dep5

@@ -1,5 +1,5 @@
-# Vulas
-VULAS_RELEASE=3.2.0-SNAPSHOT
+# Eclipse Steady
+VULAS_RELEASE=3.2.1-SNAPSHOT
 VULAS_ENV=dev
 
 # PostgreSQL

.travis/.env

@@ -22,7 +22,7 @@ vulas.core.instr.sourceDir =
 vulas.core.instr.targetDir = vulas/target
 vulas.core.instr.includeDir = vulas/include
 vulas.core.instr.libDir = vulas/lib
-vulas.core.instr.instrumentorsChoosen = com.sap.psr.vulas.monitor.trace.SingleTraceInstrumentor
+vulas.core.instr.instrumentorsChoosen = org.eclipse.steady.java.monitor.trace.SingleTraceInstrumentor
 vulas.core.instr.searchRecursive = true
 
 vulas.report.reportDir = vulas/report

.travis/vulas-custom.properties.sample

@@ -17,13 +17,25 @@ spec:
       value: "-Duser.home=/home/jenkins -Xmx4096m -Xms4096m"
     - name: "MAVEN_CONFIG"
       value: "/home/jenkins/.m2"
+    - name: "GNUPGHOME"
+      value: "/home/jenkins/.gnupg"
     volumeMounts:
     - name: settings-xml
       mountPath: /home/jenkins/.m2/settings.xml
       subPath: settings.xml
       readOnly: true
+    - name: toolchains-xml
+      mountPath: /home/jenkins/.m2/toolchains.xml
+      subPath: toolchains.xml
+      readOnly: true
+    - name: settings-security-xml
+      mountPath: /home/jenkins/.m2/settings-security.xml
+      subPath: settings-security.xml
+      readOnly: true
     - name: m2-repo
       mountPath: /home/jenkins/.m2/repository
+    - name: gnupg-vol
+      mountPath: /home/jenkins/.gnupg
     resources:
       limits:
         memory: "4Gi"
@@ -38,27 +50,91 @@ spec:
       items:
       - key: settings.xml
         path: settings.xml
+  - name: toolchains-xml
+    configMap:
+      name: m2-dir
+      items:
+      - key: toolchains.xml
+        path: toolchains.xml
+  - name: settings-security-xml
+    secret:
+      secretName: m2-secret-dir
+      items:
+      - key: settings-security.xml
+        path: settings-security.xml
   - name: m2-repo
     emptyDir: {}
+  - name: gnupg-vol
+    emptyDir: {}
 """
     }
   }
   stages {
-    stage('Check') {
+    // Verifies compliance with Google's Java Style Guide (cf.
+    // https://eclipse.github.io/steady/contributor/#contribution-content-guidelines).
+    stage('Verify Coding Style and REUSE compliance') {
       steps {
         container('maven') {
-          sh 'mvn -P gradle -Dvulas.shared.m2Dir=/home/jenkins/agent/workspace -Dspring.standalone \
-              -Dspotbugs.excludeFilterFile=findbugs-exclude.xml -Dspotbugs.includeFilterFile=findbugs-include.xml \
-              -Dspotbugs.failOnError=true -DskipTests clean install com.github.spotbugs:spotbugs-maven-plugin:4.0.4:check'
+          sh 'reuse lint'
+          sh 'bash .travis/check_code_style.sh'
         }
       }
     }
-
+    // Verifies that the -javadoc and -sources artifacts can be generated (by enabling the
+    // javadoc profile contained in three pom.xml files). Also verifies that the build
+    // is reproducible, and that Spotbugs checks do not fail (cf.
+    // https://eclipse.github.io/steady/contributor/#contribution-content-guidelines).
+    stage('Create javadoc + sources, Verify Spotbugs and Reproducibility') {
+      steps {
+        container('maven') {
+          sh 'mvn -B -e -P gradle,javadoc \
+                  -Dspring.standalone \
+                  -DskipTests \
+                  -Dvulas.shared.m2Dir=/home/jenkins/agent/workspace \
+                  -Dspotbugs.excludeFilterFile=findbugs-exclude.xml \
+                  -Dspotbugs.includeFilterFile=findbugs-include.xml \
+                  -Dspotbugs.failOnError=true \
+                  clean install com.github.spotbugs:spotbugs-maven-plugin:4.2.3:check'
+          sh 'mvn -B -e -P gradle,javadoc \
+                  -Dspring.standalone \
+                  -DskipTests \
+                  -Dreference.repo=https://repo.maven.apache.org/maven2 \
+                  clean verify'
+          sh 'cat target/root-*.buildinfo.compare'
+          sh 'grep ko=0 target/root-*.buildinfo.compare' // Fail if JARs are different
+        }
+      }
+    }
+    // Verifies that all tests pass (except for expensive patch analyses).
     stage('Test') {
       steps {
         container('maven') {
-          sh 'mvn -P gradle -Dvulas.shared.m2Dir=/home/jenkins/agent/workspace -Dspring.standalone \
-              -Dit.test="!IT01_PatchAnalyzerIT, IT*, *IT, *ITCase" -DfailIfNoTests=false clean test'
+          sh 'mvn -B -e -P gradle \
+                  -Dspring.standalone \
+                  -Dvulas.shared.m2Dir=/home/jenkins/agent/workspace \
+                  -Dit.test="!IT01_PatchAnalyzerIT,IT*,*IT" \
+                  -DfailIfNoTests=false \
+                  clean test'
+        }
+      }
+    }
+    // GPG signs all artifacts and deploys them on Maven Central. See here for
+    // additional info: https://www.jenkins.io/doc/book/pipeline/syntax/,
+    // https://wiki.eclipse.org/Jenkins
+    stage('Release on Central') {
+      // when { branch "sign-releases" }
+      when { tag "release-*" }
+      steps {
+        container('maven') {
+          echo "Branch [${env.BRANCH_NAME}], tag [${env.TAG_NAME}]"
+          withCredentials([file(credentialsId: 'secret-subkeys.asc', variable: 'KEYRING')]) {
+            sh 'gpg --batch --import "${KEYRING}"'
+            sh 'for fpr in $(gpg --list-keys --with-colons  | awk -F: \'/fpr:/ {print $10}\' | sort -u); do echo -e "5\ny\n" |  gpg --batch --command-fd 0 --expert --edit-key ${fpr} trust; done'
+          }
+          sh 'mvn -B -e -P gradle,javadoc,release \
+                  -Dspring.standalone \
+                  -DskipTests \
+                  clean deploy'
         }
       }
     }

Jenkinsfile

@@ -8,7 +8,7 @@
 [![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE.txt)
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](CONTRIBUTING.md)
 [![Build Status](https://travis-ci.org/eclipse/steady.svg?branch=master)](https://travis-ci.org/eclipse/steady)
-[![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.sap.research.security.vulas/plugin-maven/badge.svg)](https://maven-badges.herokuapp.com/maven-central/com.sap.research.security.vulas/plugin-maven)
+[![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.eclipse.steady/plugin-maven/badge.svg)](https://maven-badges.herokuapp.com/maven-central/org.eclipse.steady/plugin-maven)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4202/badge)](https://bestpractices.coreinfrastructure.org/projects/4202)
 [![REUSE status](https://api.reuse.software/badge/github.com/eclipse/steady)](https://api.reuse.software/info/github.com/eclipse/steady)
 
@@ -73,7 +73,6 @@ Due to the current lack of an authentication and authorization mechanism, it is
 Other limitations:
 
 - Static and dynamic analyses are not implemented for Python
-- Static analysis for Java is only supported until Java 8
 - Java 9 multi-release archives are not supported (classes below `META-INF/versions` are simply ignored)
 
 ## Todo (upcoming changes)

README.md

@@ -26,13 +26,13 @@
 	<parent>
 		<groupId>org.eclipse.steady</groupId>
 		<artifactId>root</artifactId>
-		<version>3.2.0-SNAPSHOT</version>
+		<version>3.2.1-SNAPSHOT</version>
 	</parent>
 	<artifactId>cli-scanner</artifactId>
 	<packaging>jar</packaging>
 
-	<name>Command Line Interface</name>
-	<description></description>
+	<name>steady-cli-scanner</name>
+	<description>Steady Command Line Interface</description>
 
 	<properties>
 		<maven.deploy.skip>false</maven.deploy.skip>

cli-scanner/pom.xml

@@ -1,5 +1,5 @@
-# Vulas
-VULAS_RELEASE=3.2.0-SNAPSHOT
+# Eclipse Steady
+VULAS_RELEASE=3.2.0
 VULAS_ENV=prod
 
 # *** MANDATORY SETTINGS ***
@@ -35,3 +35,6 @@ no_proxy=
 
 # kb-importer update cron expression
 KB_IMPORTER_CRON=0 0 * * *
+KB_IMPORTER_STATEMENTS_FOLDER=statements
+KB_IMPORTER_STATEMENTS_REPO=https://github.com/sap/project-kb
+KB_IMPORTER_STATEMENTS_BRANCH=vulnerability-data

docker/.env.sample

@@ -1,4 +1,4 @@
-FROM maven:3-jdk-8-alpine
+FROM maven:3-adoptopenjdk-11
 
 LABEL maintainer="[email protected]"
 
@@ -7,15 +7,17 @@ WORKDIR /vulas
 ARG http_proxy
 ARG https_proxy
 
-RUN apk update && apk add ca-certificates wget && update-ca-certificates
+RUN apt-get update
 
-RUN apk add --no-cache python3 git && \
-    python3 -m ensurepip && \
-    rm -r /usr/lib/python*/ensurepip && \
-    pip3 install --upgrade pip setuptools && \
-    if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi && \
-    if [[ ! -e /usr/bin/python ]]; then ln -sf /usr/bin/python3 /usr/bin/python; fi && \
-    rm -r /root/.cache
+RUN apt-get install -y ca-certificates wget && update-ca-certificates
+
+RUN apt-get install -y python3 python3-pip git
+    
+RUN python3 -m pip install --upgrade pip setuptools && \
+    python3 -m pip install requests virtualenv
+
+RUN if [ ! -e /usr/local/bin/pip ]; then ln -s pip3    /usr/local/bin/pip ; fi && \
+    if [ ! -e /usr/bin/python ];    then ln -s python3 /usr/bin/python; fi
 
 ENV ANT_OPTS="-Dhttp.proxyHost=${HTTP_PROXY_HOST} -Dhttp.proxyPort=${HTTP_PROXY_PORT}"
 

docker/Dockerfile

@@ -1,4 +1,4 @@
-version: '2'
+version: '2.4'
 
 services:
   frontend-apps:
@@ -41,15 +41,6 @@ services:
         - VULAS_RELEASE=${VULAS_RELEASE}
     image: steady-rest-lib-utils:${VULAS_RELEASE}
 
-  patch-analyzer:
-    build:
-      context: ./patch-analyzer
-      dockerfile: ./Dockerfile
-      args:
-        - VULAS_RELEASE=${VULAS_RELEASE}
-    image: steady-patch-analyzer:${VULAS_RELEASE}
-    entrypoint: /bin/sleep 1
-
   kb-importer:
     build:
       context: ./kb-importer

docker/docker-compose.build.yml

@@ -1,4 +1,4 @@
-version: '2'
+version: '2.4'
 
 services:
   frontend-apps:
@@ -25,7 +25,7 @@ services:
     container_name: steady-haproxy
     hostname: haproxy
     env_file: .env
-    image: haproxy:alpine
+    image: haproxy:2.3-alpine
     ports:
       - "8033:8080"
       - "8034:7070"
@@ -68,14 +68,14 @@ services:
     hostname: postgresql
     image: postgres:11-alpine
     environment:
+      - POSTGRES_DB=vulas
       - POSTGRES_USER=${POSTGRES_USER}
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
-      - POSTGRES_DB=vulas
       - PGDATA=/var/lib/postgresql/data
     ports:
       - "8032:5432"
     volumes:
-      - vulnerability-assessment-tool-postgres-data:/var/lib/postgresql/data
+      - steady-postgres-data:/var/lib/postgresql/data
       - ./postgresql/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d:ro
     security_opt:
       - no-new-privileges
@@ -93,6 +93,7 @@ services:
     environment:
       - DELAY_STARTUP=5
       - vulas.shared.cia.serviceUrl=http://cia:8092/cia
+      - vulas.shared.cve.serviceUrl=https://services.nvd.nist.gov/rest/json/cve/1.0/<ID>
       - spring.datasource.username=${POSTGRES_USER}
       - spring.datasource.password=${POSTGRES_PASSWORD}
     links:
@@ -153,4 +154,4 @@ services:
     restart: always
 
 volumes:
-  vulnerability-assessment-tool-postgres-data:
+  steady-postgres-data:

docker/docker-compose.yml

@@ -1,14 +1,24 @@
-FROM openjdk:8-jre-alpine
+FROM openjdk:11-jre-slim
 
 LABEL maintainer="[email protected]"
 
 ARG VULAS_RELEASE
 
-RUN apk --no-cache add openssl wget tar git
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        openssl wget tar git cron bash gettext\
+    && rm -rf /var/lib/apt/lists/* \
+    && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false
+
 WORKDIR /kb-importer
-RUN wget https://github.com/SAP/project-kb/releases/download/v0.6.17/kaybee-0.6.17_linux-amd64 -O kaybee
+
+RUN wget https://github.com/SAP/project-kb/releases/download/v0.6.18/kaybee-0.6.18_linux-amd64 -O kaybee
 RUN chmod +x kaybee
+
 COPY kb-importer-$VULAS_RELEASE-jar-with-dependencies.jar kb-importer.jar
 RUN chmod +x kb-importer.jar
+
 COPY kb-importer.sh start.sh /kb-importer/
+RUN chmod +x /kb-importer/kb-importer.sh /kb-importer/start.sh
+
 ENTRYPOINT ["sh","/kb-importer/start.sh"]