Skip to content

Commit 8691302

Browse files
agrasthagrasth
committed
Maven security fix and Improvements (#112)
1 parent 11b6e98 commit 8691302

4 files changed

Lines changed: 286 additions & 14 deletions

File tree

.github/workflows/credential-validation.yml

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
name: Credential Validation
2+
3+
on:
4+
workflow_dispatch: # Triggered by Jenkins or manually
5+
6+
jobs:
7+
validate-credentials:
8+
runs-on: ubuntu-latest
9+
steps:
10+
- name: Checkout
11+
uses: actions/checkout@v4
12+
13+
- name: Install JFrog CLI
14+
uses: jfrog/setup-jfrog-cli@v4
15+
env:
16+
JF_URL: ${{ secrets.JF_URL }}
17+
JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
18+
19+
- name: Validate JFrog Artifactory Credentials
20+
id: validate_jfrog
21+
run: |
22+
echo "Testing JFrog Artifactory connection..."
23+
if jf rt ping; then
24+
echo "status=✅ SUCCESS" >> $GITHUB_OUTPUT
25+
echo "message=JFrog connection successful" >> $GITHUB_OUTPUT
26+
echo "✅ JFrog Artifactory credentials are valid"
27+
else
28+
echo "status=❌ FAILURE" >> $GITHUB_OUTPUT
29+
echo "message=JFrog connection failed" >> $GITHUB_OUTPUT
30+
echo "❌ JFrog Artifactory credentials validation failed"
31+
exit 1
32+
fi
33+
34+
- name: Validate Maven Central (OSSRH) Credentials
35+
id: validate_maven_central
36+
if: always() # Run even if JFrog validation fails
37+
run: |
38+
echo "Testing Maven Central (OSSRH) connection..."
39+
40+
# Test authentication against Nexus staging profiles API
41+
HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' \
42+
-u "${{ secrets.OSSRH_USERNAME }}:${{ secrets.OSSRH_PASSWORD }}" \
43+
"https://oss.sonatype.org/service/local/staging/profiles")
44+
45+
echo "Maven Central API response: $HTTP_CODE"
46+
47+
if [ "$HTTP_CODE" = "200" ]; then
48+
echo "status=SUCCESS" >> $GITHUB_OUTPUT
49+
echo "message=Maven Central connection successful" >> $GITHUB_OUTPUT
50+
echo "SUCCESS: Maven Central credentials are valid"
51+
elif [ "$HTTP_CODE" = "401" ]; then
52+
echo "status=FAILURE" >> $GITHUB_OUTPUT
53+
echo "message=Authentication failed - invalid credentials" >> $GITHUB_OUTPUT
54+
echo "ERROR: Maven Central authentication failed (401)"
55+
exit 1
56+
elif [ "$HTTP_CODE" = "403" ]; then
57+
echo "status=SUCCESS" >> $GITHUB_OUTPUT
58+
echo "message=Credentials valid (limited permissions on staging API is normal)" >> $GITHUB_OUTPUT
59+
echo "SUCCESS: Maven Central credentials valid (403 on staging API is acceptable for deployment)"
60+
else
61+
echo "status=FAILURE" >> $GITHUB_OUTPUT
62+
echo "message=Connection failed - HTTP $HTTP_CODE" >> $GITHUB_OUTPUT
63+
echo "ERROR: Maven Central connection failed with HTTP $HTTP_CODE"
64+
exit 1
65+
fi

.github/workflows/frogbot.yml

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
name: "Frogbot Security Scan"
2+
3+
on:
4+
# Trigger on pull requests for scanning
5+
pull_request_target:
6+
types: [ opened, synchronize ]
7+
# Trigger on schedule for scanning and fixing
8+
schedule:
9+
# The repository will be scanned once a day at 00:00 GMT
10+
- cron: "0 0 * * *"
11+
12+
permissions:
13+
contents: write
14+
pull-requests: write
15+
security-events: write
16+
17+
jobs:
18+
# Job for scanning pull requests
19+
scan-pull-request:
20+
if: github.event_name == 'pull_request_target'
21+
runs-on: ubuntu-latest
22+
# A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
23+
# "frogbot" GitHub environment can approve the pull request to be scanned.
24+
environment: frogbot
25+
steps:
26+
- uses: actions/checkout@v4
27+
with:
28+
ref: ${{ github.event.pull_request.head.sha }}
29+
30+
# Install prerequisites
31+
- name: Set up Java
32+
uses: actions/setup-java@v4
33+
with:
34+
java-version: "8"
35+
distribution: "temurin"
36+
37+
- uses: jfrog/frogbot@v2
38+
env:
39+
# [Mandatory]
40+
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
41+
JF_URL: ${{ secrets.JF_URL }}
42+
43+
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
44+
# JFrog access token with 'read' permissions on Xray service
45+
JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
46+
47+
# [Mandatory]
48+
# The GitHub token automatically generated for the job
49+
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
50+
51+
# Job for scheduled scanning and creating fix pull requests
52+
scan-and-fix:
53+
if: github.event_name == 'schedule'
54+
runs-on: ubuntu-latest
55+
strategy:
56+
matrix:
57+
# The repository scanning will be triggered periodically on the following branches
58+
branch: [ "main", "master" ]
59+
steps:
60+
- uses: actions/checkout@v4
61+
with:
62+
ref: ${{ matrix.branch }}
63+
64+
# Install prerequisites
65+
- name: Set up Java
66+
uses: actions/setup-java@v4
67+
with:
68+
java-version: "8"
69+
distribution: "temurin"
70+
71+
- uses: jfrog/frogbot@v2
72+
env:
73+
# [Mandatory]
74+
# JFrog platform URL
75+
JF_URL: ${{ secrets.JF_URL }}
76+
77+
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
78+
# JFrog access token with 'read' permissions on Xray service
79+
JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
80+
81+
# [Mandatory]
82+
# The GitHub token automatically generated for the job
83+
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
84+
85+
# [Optional]
86+
# Branch to create pull request against when fixing vulnerabilities
87+
JF_GIT_BASE_BRANCH: ${{ matrix.branch }}
88+

.github/workflows/security-scan.yml

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
name: PR Audit
2+
3+
on:
4+
push:
5+
branches: [ main, master ]
6+
pull_request_target:
7+
types: [ opened, synchronize ]
8+
schedule:
9+
- cron: '0 9 * * 1' # Weekly on Monday at 9 AM UTC
10+
11+
permissions:
12+
contents: read
13+
pull-requests: write
14+
security-events: write
15+
16+
jobs:
17+
jfrog-audit:
18+
runs-on: ubuntu-latest
19+
steps:
20+
- name: Checkout code
21+
uses: actions/checkout@v4
22+
with:
23+
ref: ${{ github.event.pull_request.head.sha }}
24+
25+
- name: Setup JDK 8
26+
uses: actions/setup-java@v4
27+
with:
28+
java-version: '8'
29+
distribution: 'temurin'
30+
cache: maven
31+
32+
- name: Set up JFrog CLI
33+
uses: jfrog/setup-jfrog-cli@v4
34+
env:
35+
JF_URL: ${{ secrets.JF_URL }}
36+
JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
37+
38+
- name: Run JFrog Audit
39+
run: jf audit
40+
41+
- name: Run Tests
42+
run: mvn clean test -B
43+

pom.xml

Lines changed: 90 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,8 @@
1212
</description>
1313

1414
<properties>
15-
<maven.min.version>3.3.9</maven.min.version>
16-
<buildinfo.version>2.41.3</buildinfo.version>
15+
<maven.min.version>3.8.1</maven.min.version>
16+
<buildinfo.version>2.43.4</buildinfo.version>
1717
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
1818
<maven.compiler.source>1.8</maven.compiler.source>
1919
<maven.compiler.target>1.8</maven.compiler.target>
@@ -66,6 +66,82 @@
6666
<url>https://www.jfrog.com/jira/browse/NMAP</url>
6767
</issueManagement>
6868

69+
<dependencyManagement>
70+
<dependencies>
71+
<!-- Override vulnerable transitive dependencies -->
72+
<dependency>
73+
<groupId>org.apache.maven.shared</groupId>
74+
<artifactId>maven-shared-utils</artifactId>
75+
<version>3.4.2</version>
76+
</dependency>
77+
<dependency>
78+
<groupId>com.fasterxml.jackson.core</groupId>
79+
<artifactId>jackson-databind</artifactId>
80+
<version>2.18.2</version>
81+
</dependency>
82+
<dependency>
83+
<groupId>com.fasterxml.jackson.core</groupId>
84+
<artifactId>jackson-core</artifactId>
85+
<version>2.18.2</version>
86+
</dependency>
87+
<dependency>
88+
<groupId>io.netty</groupId>
89+
<artifactId>netty-codec-http</artifactId>
90+
<version>4.1.125.Final</version>
91+
</dependency>
92+
<dependency>
93+
<groupId>io.netty</groupId>
94+
<artifactId>netty-codec-http2</artifactId>
95+
<version>4.1.125.Final</version>
96+
</dependency>
97+
<dependency>
98+
<groupId>io.netty</groupId>
99+
<artifactId>netty-codec</artifactId>
100+
<version>4.1.125.Final</version>
101+
</dependency>
102+
<dependency>
103+
<groupId>io.netty</groupId>
104+
<artifactId>netty-common</artifactId>
105+
<version>4.1.125.Final</version>
106+
</dependency>
107+
<dependency>
108+
<groupId>io.netty</groupId>
109+
<artifactId>netty-handler</artifactId>
110+
<version>4.1.125.Final</version>
111+
</dependency>
112+
<dependency>
113+
<groupId>org.bouncycastle</groupId>
114+
<artifactId>bcprov-jdk18on</artifactId>
115+
<version>1.79</version>
116+
</dependency>
117+
<dependency>
118+
<groupId>org.bouncycastle</groupId>
119+
<artifactId>bcpkix-jdk18on</artifactId>
120+
<version>1.79</version>
121+
</dependency>
122+
<dependency>
123+
<groupId>com.nimbusds</groupId>
124+
<artifactId>nimbus-jose-jwt</artifactId>
125+
<version>10.0.2</version>
126+
</dependency>
127+
<dependency>
128+
<groupId>com.jayway.jsonpath</groupId>
129+
<artifactId>json-path</artifactId>
130+
<version>2.9.0</version>
131+
</dependency>
132+
<dependency>
133+
<groupId>net.minidev</groupId>
134+
<artifactId>json-smart</artifactId>
135+
<version>2.5.2</version>
136+
</dependency>
137+
<dependency>
138+
<groupId>org.xmlunit</groupId>
139+
<artifactId>xmlunit-core</artifactId>
140+
<version>2.10.0</version>
141+
</dependency>
142+
</dependencies>
143+
</dependencyManagement>
144+
69145
<dependencies>
70146
<!--Maven Core-->
71147
<dependency>
@@ -110,7 +186,7 @@
110186
<dependency>
111187
<groupId>org.apache.commons</groupId>
112188
<artifactId>commons-lang3</artifactId>
113-
<version>3.11</version>
189+
<version>3.18.0</version>
114190
</dependency>
115191
<dependency>
116192
<groupId>org.apache.commons</groupId>
@@ -120,7 +196,7 @@
120196
<dependency>
121197
<groupId>commons-io</groupId>
122198
<artifactId>commons-io</artifactId>
123-
<version>2.9.0</version>
199+
<version>2.18.0</version>
124200
</dependency>
125201

126202
<!--Annotations-->
@@ -139,7 +215,7 @@
139215
<dependency>
140216
<groupId>org.projectlombok</groupId>
141217
<artifactId>lombok</artifactId>
142-
<version>1.18.12</version>
218+
<version>1.18.36</version>
143219
<scope>provided</scope>
144220
</dependency>
145221

@@ -159,7 +235,7 @@
159235
<dependency>
160236
<groupId>org.slf4j</groupId>
161237
<artifactId>slf4j-simple</artifactId>
162-
<version>1.7.36</version>
238+
<version>2.0.16</version>
163239
<scope>test</scope>
164240
</dependency>
165241
<dependency>
@@ -185,7 +261,7 @@
185261
<dependency>
186262
<groupId>org.codehaus.plexus</groupId>
187263
<artifactId>plexus-archiver</artifactId>
188-
<version>4.8.0</version>
264+
<version>4.10.0</version>
189265
<scope>test</scope>
190266
</dependency>
191267
<dependency>
@@ -203,19 +279,19 @@
203279
<dependency>
204280
<groupId>com.fasterxml.jackson.dataformat</groupId>
205281
<artifactId>jackson-dataformat-xml</artifactId>
206-
<version>2.14.1</version>
282+
<version>2.18.2</version>
207283
<scope>test</scope>
208284
</dependency>
209285
<dependency>
210286
<groupId>com.fasterxml.jackson.datatype</groupId>
211287
<artifactId>jackson-datatype-guava</artifactId>
212-
<version>2.14.1</version>
288+
<version>2.18.2</version>
213289
<scope>test</scope>
214290
</dependency>
215291
<dependency>
216292
<groupId>org.mock-server</groupId>
217293
<artifactId>mockserver-netty</artifactId>
218-
<version>5.14.0</version>
294+
<version>5.15.0</version>
219295
<scope>test</scope>
220296
<exclusions>
221297
<exclusion>
@@ -243,25 +319,25 @@
243319
<dependency>
244320
<groupId>org.apache.commons</groupId>
245321
<artifactId>commons-text</artifactId>
246-
<version>1.10.0</version>
322+
<version>1.13.0</version>
247323
<scope>test</scope>
248324
</dependency>
249325
<dependency>
250326
<groupId>org.mozilla</groupId>
251327
<artifactId>rhino</artifactId>
252-
<version>1.7.14</version>
328+
<version>1.8.0</version>
253329
<scope>test</scope>
254330
</dependency>
255331
<dependency>
256332
<groupId>commons-beanutils</groupId>
257333
<artifactId>commons-beanutils</artifactId>
258-
<version>1.9.4</version>
334+
<version>1.11.0</version>
259335
<scope>test</scope>
260336
</dependency>
261337
<dependency>
262338
<groupId>org.yaml</groupId>
263339
<artifactId>snakeyaml</artifactId>
264-
<version>2.0</version>
340+
<version>2.3</version>
265341
<scope>test</scope>
266342
</dependency>
267343
</dependencies>

0 commit comments

Comments
 (0)