Friday, December 19, 2014

Getting All Maven Dependencies

If you are running any static analysis tool for Java, you know how hard it is to get all dependencies from a client. This is especially true if the application uses Maven build. Most clients use Nexus, which makes it even harder to get libraries to compile.

During one such engagement, one of my team members was struggling to compile the code. And anytime you have compilation errors, many of the static analysis tools produce 0 findings.

That's when I sent this simple command line option to my team member, who in turn was able to ask the client to send them all the dependencies using this command. And this worked like a charm, we had all libraries required to compile the code, the tool was happy, we were happy and the client was happy as well.

So, here it is. Make sure you can compile the code without any errors.

From a command line within your project, run "mvn clean compile"


Next, once you have a clean compilation, run the command "mvn dependency:copy-dependencies". This will copy all the dependencies into the target\dependency folder.


Take a look at the target\dependency folder, you have all the libraries to compile and can now configure any tool to scan your code successfully.






Sunday, October 12, 2014

Apache Commons CLI - A Simple Example

As the saying goes " Out of Sight, Out of Mind", I was unable to remember how often I had used the Apache Commons CLI API in my Developer days. Now that I mostly work on Security engagements, when I was reminding one of our Consultants to use command line options, I couldn't remember the name of Commons CLI.

As soon as I got back home from the client site, I fired up my laptop, and there it was the code written almost several years back which used the Apache Commons CLI API.

The best way to get access to these code examples is to blog here, and you have it handy anywhere in the world, right?

The Commons CLI has great documentation on its website. Take a look:

http://commons.apache.org/proper/commons-cli/

Follow the steps below to get it up and running in a few mins:

1. Download Commons CLI from here:
http://commons.apache.org/proper/commons-cli/download_cli.cgi

2. Create a simple Main class:

3. As seen in the above screen shot, use the org.apache.commons.cli.Options to specify the command line options. For mandatory options, use the .isRequired().

4. Add descriptions to each command line option.

5. Next, parse command line input with set options as shown below:


6. Finally, get the individual command line options using the CommandLine object. For the ones which are optional, check if the argument is available using the .hasOption method.

7. Now run the jar file from the command line and you are all set. If an an option which is required is not set, it will print the help message as shown below:



8. If all the required options are specified, you see a message as such:


That's all it is for using the Apache Commons CLI. Happy Coding.

Wednesday, August 27, 2014

Failed to execute goal com.github.searls:jasmine-maven-plugin

When you are running any Static Analysis tool for Security such as IBM's AppScan Source and HP's Fortify SCA, and you notice errors such as the following, the simplest way to solve this is to disable running your unit tests.

 [ERROR] Failed to execute goal com.github.searls:jasmine-maven-plugin:1.3.1.3:test (run-jasmine-unit-tests-external-min) on project your-project-name: There were Jasmine spec failures. -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]

The code needs to be compiled and packaged, however there is no need for unit tests to run successfully for getting good results. So, at this point to get the static analysis tool running, use one of the following commands and you should be up and running.

To skip running tests, use one of the below commands:
 
mvn clean compile package –DskipTests or
mvn package –Dmaven.test.skip=true

Monday, July 21, 2014

Unrecognized or invalid command line argument '-disable-sourcerendering'


If you are seeing the following error while scanning your projects using Fortify Maven plugin, there is a simple fix.

[error]: Unrecognized or invalid command line argument '-disable-sourcerendering'
Fortify Static Code Analyzer 5.16.0.0042
Copyright (c) 2003-2013 Fortify Software

For command-line help, type 'sourceanalyzer -h'

[ERROR] Error invoking sourceanalyzer. Exit code: 1.
Verify your project settings and your SCA installation.

Open the file com.fortify.ps.maven.plugin.sca.ScanMojo.java, and replace the following code:

com.fortify.ps.maven.plugin.sca.ScanMojo

If (!renderSources) {
addArg(“-disable-sourcerendering");
}

With the following lines

If (!renderSources) {
addArg(“-disable-source-rendering");
}

Recompile, package, and install using:

mvn compile package install.

And rerun your scans.



Tuesday, January 7, 2014

Installing Maven Fortify Plugin

The Maven Fortify Plugin supports Maven 2.0.X, 2.2.X and 3.0.X versions. The Plugin provides functionality to translate, scan and upload using Fortify's Source Code Analyzer or SCA as it is commonly called.

The source code of the plug-in is available within the Samples folder of the fortify installation as shown below.



Make sure you have Maven installed.

If the Maven Fortify Plugin has never been installed, run the Maven clean package and install commands as shown below:


 Once the commands run, you should be able to see the jar successfully built.


At this point, you can browse the .m2 folder and see that the plugin has been installed in your local Maven repository.


Now that the plugin is installed, you can easily translate, and scan using Fortify on all your Maven projects. 

A few other posts on Fortify can be found here:

Wednesday, August 21, 2013

Job Openings @ Cigital




Cigital currently has 29 different openings across different locations.  We are actively recruiting for, with critical needs in Texas, London,  and Managing Consultant areas.  You’ll find detailed descriptions for these on our website. Leave a comment here, and I can send you an email to get your resume.



Technical Manager -  Santa Clara
 

Managing Consultant Chicago, Dallas, London, New York, Santa Clara, Toronto

Sales Director – Houston

Associate Consultants - Bloomington, Boston, Dulles and New York

Interns - Bloomington, Boston, Dulles and New York

Security Consultants - Boston, Dulles, London, Minneapolis

Sr. Security Consultant  - Dulles, London and Santa Clara


Tuesday, June 25, 2013

Beware : Yahoo Signin Alert

I received the following email at my yahoo account. Having seen these kinds of email quite a lot, I immediately knew it was an email someone was sending to compromise my account. Glad it helps when you are working for a company like "Cigital".

Beware of the email, which looks like this:

Make sure you don't click on the link, or login into your account using the link provided there.

Thursday, May 9, 2013

Fortify – [error]: Build ID doesn’t exist.

[error]: Build ID doesn’t exist.Error invoking sourceanalyzer. Exit code: 1.
This was the strange error we kept seeing today on the Jenkins server when using Fortify to scan projects. All the jobs which were running successfully failed miserably.


Even having the source code for the Maven plug-in didn’t help much.
 Spent a few hours trying various things, and at one point I decided to just run the translate command. The translate was running fine, which made me wonder that something isn’t right here.
Fortify kept complaining that the Build ID doesn’t exist. Translate also requires the use of Build ID which made we wonder something was going wrong. When I just ran the translate, and looked at the log file it generates, the culprit was hidden there. “No space left on device”. See screen shot below:

Fortify was configured to use the default working directory and project root. The disk was full, and translate didn’t throw an exception. The stack trace was hidden in the log file. Once the default working folder was changed, all jobs started running successfully.
There are basically two options available:
1. Change the values to a mount which has more space.
com.fortify.WorkingDirectory=/your/tmp/dir/fortify
com.fortify.sca.ProjectRoot=/your/tmp/dir/fortify
2. Use the Jenkins workspace folder, so you can clear the workspace at regular intervals
com.fortify.WorkingDirectory=.yourjenkinsworkspace
com.fortify.sca.ProjectRoot=.yourjenkinsworkspace

Wednesday, May 8, 2013

Maven Fortify Plugin - Getting Help

Developers and security analysts have trouble getting the Fortify Maven plugin up and running. Even if the basic commands for translate, and scan work, I have seen them having trouble understanding the various options available to configure how the projects gets scanned.

Adding the Fortify Maven plugin is as simple as adding the following lines to your POM file. This is again optional, and in many cases if you specify the full path, you don't even have to add the following lines to all your POM.


If you don't have the source for the Plugin and you want to find out what are the configuration options which can be specified for the plugin, use the mvn help:describe command. If you want to see the options for the maven-sca-plugin shown above, use the following command:
mvn help:describe -DgroupId=com.fortify.ps.maven.plugin -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Doutput=mvn-help.txt



The text file would have all the detailed information available to use with the goals.


To get help information for a specifc MOJO or a Maven goal use the following command:
mvn help:describe -DgroupId=com.fortify.ps.maven.plugin -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Dgoal=scan -Doutput=mvn-help-scan.txt

Wednesday, April 3, 2013

jmap & Windows7

In spite of using Java for several decades now, I had never used jmap. jmap is a JDK tool used for dumping the heap memory details of a process. jmap worked with no problems at all on the Ubuntu machine which had OpenJDK installed.

However, as soon as I tried using the same commands on my Windows 7 machine, the command just didn't do anything. I did search online and found no references on why it doesn't work the way it is supposed to on Windows. Didn't spend too much time finding what the root cause was either. The workaround is sufficient for me. :)

So, lets see how to get this jmap working on Windows.

Step 1:
Open a command window and start any Java program you have. Make sure it runs for a while so you can use this process ID to get the heap dump.

Step 2:
Run the jps command to get the process ID's. jps is the Java Virtual Machine Process Status Tool.


Step 3:
Now that you have the process ID's for the applications running, start the jmap command on another command prompt. This is where things get interesting.

jmap should have worked here, since it is in the path. However, it doesn't dump the heap and keeps displaying the usage instructions.
I tried several options, none seemed to work.

Step 4:
At this point, I decided to run the jmap command from the bin folder of the JDK to see if anything changes.

And like a charm, jmap dumped the contents of the heap.

Step 5:
Once you have the contents of the heap, use jhat the Java Heap Analysis Tool to view and browse through the heap dump file.

Below are links for the various JDK Tools:

1. jmap
2. jps
3. jhat