Maven and Gradle

Maven and Gradle are build automation and dependency management systems used primarily for Java projects. Their goals are to provide a uniform build system and to simplify the build process altogether. They are used for dependency management, testing, and building of simple to complex projects. Both systems boast a plugin architecture which provides an easy interface to apply conventions, add tasks to the lifecycle of a build, integrate third-party tools, and much more. Most of the time they are used in combination with continuous integration and delivery tools such as Bamboo and Jenkins for even greater automation.

Automate Security Testing

Since both systems are already used extensively in a Java applications’ build and testing automation process it is only fitting to integrate our static code analysis as well. That way there are no major changes necessary to your already established continuous integration process and existing tools can be easily re-used. The Maven plugin is set-up to run during the verify lifecycle by default but can be configured to run on any other lifecycle as well. The Gradle plugin can be applied in a similar fashion.

Now every time a new version of your application is being build it is also examined for critical security vulnerabilities that can also be configured to fail the corresponding build on user-defined thresholds.

RIPS Maven & Gradle Plugin

Installation

To add the RIPS plugin to your project you have to include the following lines to your build file:

pom.xml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
<build>
    <plugins>
        <plugin>
        <groupId>com.ripstech</groupId>
        <artifactId>rips-maven-plugin</artifactId>
        <version>1.0.0</version>
        <configuration>
            ...
        </configuration>
        </plugin>
    </plugins>
</build>

build.gradle

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
plugins {
    id 'com.ripstech.gradle' version '1.0.0'
}

// if dynamic configuration is required
buildscript {
  dependencies {
    classpath "com.ripstech.gradle:rips-plugin:1.0.0"
  }
}

apply plugin: "com.ripstech.gradle.rips-plugin"

Configuration

The plugins can be easily configured via the pom.xml (Maven) or the build.gradle (Gradle) files. After adding the plugin to the project, a few required configuration properties need to be set:

pom.xml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
<build>
    <plugins>
        <plugin>
            ...
            <configuration>
                <apiUrl>https://api-3.ripstech.com</apiUrl>
                <email>test@company</email>
                <password>${System.env.RIPS}</password>
                <applicationId>yourApplicationId</applicationId>
            </configuration>
        </plugin>
    </plugins>
</build>

build.gradle

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
// required properties
ripstech {
    // the URL to the RIPS API
    apiUrl = "https://api-3.ripstech.com"
    // user email
    email = "test@company"
    // user password
    password = "$System.env.RIPS"
    // ID of the application to use
    applicationId = yourApplicationId
    // optional properties
    // ....
}

Both Maven and Gradle allow the use of environment variables in the configuration files. This is especially useful if you do not want to save the password in your pom.xml or build.gradle (and you shouldn’t). The applicationId and profileId can be retrieved from the RIPS User Interface or the API directly. The scan version can include additional placeholders that are listed and described below.

pom.xml

1
2
<!-- will resolve to yyyy-MM-dd HH:mm - Maven - yourProjectName -->
<scanVersion>{isoDateTime} - {buildSystem} - {projectName}</scanVersion>

build.gradle

1
2
// will resolve to yyyy-MM-dd HH:mm - Gradle - yourProjectName
scanVersion = "{isoDateTime} - {buildSystem} - {projectName}"

Additional optional configurations, such as the thresholds and UI URL settings, can also be specified. The thresholds define the maximum amount of issues of a specific type that are allowed per scan. This means that your build will fail if you set your threshold for critical issues to 2 but RIPS finds 3 critical issues. If you omit a threshold for a specific severity, the issues in that category will be ignored when evaluating the scan. The UI URL is used to include links to the user interface so that you can take a more in-depth look at the issues.

pom.xml

1
2
3
4
5
6
7
8
9
<uiUrl>https://ui-3.ripstech.com</uiUrl>
<profileId>yourProfileId</profileId>
<printIssues>true</printIssues>
<thresholds>
    <critical>2</critical>
    <high>4</high>
    <medium>7</medium>
    <low>15</low>
</thresholds>

build.gradle

1
2
3
4
5
6
7
8
9
ripstech {
    uiUrl = "https://ui-3.ripstech.com"
    profileId = yourProfileId
    printIssues = true
    thresholdCritical = 2
    thresholdHigh = 4
    thresholdMedium = 7
    thresholdLow = 15
}

The plugins offer to print all vulnerabilities with links to the exact line and column in your source files. This enables you to utilize RIPS in your development process to detect security flaws as early as possible.

Check out the following video to see how a scan might look like for your application.

Summary

The plugins allow to integrate RIPS seamlessly into your build process for automated security analysis, without the need to change your build system or continuous integration tooling.

You can find more information and a detailed description of the configuration options in our knowledge-base for Gradle and Maven.