Security Testing Plugin for Maven & Gradle5 Feb 2019 by Julian Karl, Amin Dada
We are pleased to announce integration support for the two major build automation tools Apache Maven and Gradle. Both plugins enable to add our static code analysis solution to your build process and to provide a streamlined way to configure and start a new security scan for your Java applications.
Maven and Gradle
Maven and Gradle are build automation and dependency management systems used primarily for Java projects. Their goals are to provide a uniform build system and to simplify the build process altogether. They are used for dependency management, testing, and building of simple to complex projects. Both systems boast a plugin architecture which provides an easy interface to apply conventions, add tasks to the lifecycle of a build, integrate third-party tools, and much more. Most of the time they are used in combination with continuous integration and delivery tools such as Bamboo and Jenkins for even greater automation.
Automate Security Testing
Since both systems are already used extensively in a Java applications’ build and testing automation process it is only fitting to integrate our static code analysis as well. That way there are no major changes necessary to your already established continuous integration process and existing tools can be easily re-used. The Maven plugin is set-up to run during the
verify lifecycle by default but can be configured to run on any other lifecycle as well. The Gradle plugin can be applied in a similar fashion.
Now every time a new version of your application is being build it is also examined for critical security vulnerabilities that can also be configured to fail the corresponding build on user-defined thresholds.
RIPS Maven & Gradle Plugin
To add the RIPS plugin to your project you have to include the following lines to your build file:
The plugins can be easily configured via the pom.xml (Maven) or the build.gradle (Gradle) files. After adding the plugin to the project, a few required configuration properties need to be set:
Both Maven and Gradle allow the use of environment variables in the configuration files. This is especially useful if you do not want to save the password in your pom.xml or build.gradle (and you shouldn’t). The applicationId and profileId can be retrieved from the RIPS User Interface or the API directly. The scan version can include additional placeholders that are listed and described below.
Additional optional configurations, such as the thresholds and UI URL settings, can also be specified. The thresholds define the maximum amount of issues of a specific type that are allowed per scan. This means that your build will fail if you set your threshold for critical issues to 2 but RIPS finds 3 critical issues. If you omit a threshold for a specific severity, the issues in that category will be ignored when evaluating the scan. The UI URL is used to include links to the user interface so that you can take a more in-depth look at the issues.
The plugins offer to print all vulnerabilities with links to the exact line and column in your source files. This enables you to utilize RIPS in your development process to detect security flaws as early as possible.
Check out the following video to see how a scan might look like for your application.
The plugins allow to integrate RIPS seamlessly into your build process for automated security analysis, without the need to change your build system or continuous integration tooling.