SourceClear JUnit Wrapper

Top-level parent POM for Red Hat Release Engineering Tooling.

Лицензия	Лицензия APLv2.0
Группа	Группа com.redhat.engineering
Идентификатор	Идентификатор srcclr
Последняя версия	Последняя версия 1.6
Дата	Дата 9 февр. 2021 г.
Тип	Тип jar
Описание	Описание SourceClear JUnit Wrapper Top-level parent POM for Red Hat Release Engineering Tooling.
Ссылка на сайт	Ссылка на сайт https://github.com/project-ncl/sourceclear-invoker
Система контроля версий	Система контроля версий http://github.com/project-ncl/sourceclear-invoker

Скачать srcclr

Имя Файла	Размер
srcclr-1.6.pom
srcclr-1.6.jar	78 KB
srcclr-1.6-sources.jar	59 KB
srcclr-1.6-javadoc.jar	275 KB
srcclr-1.6-jar-with-dependencies.jar	7 MB
Обзор

Как подключить последнюю версию

Apache Maven

<!-- https://jarcasting.com/artifacts/com.redhat.engineering/srcclr/ -->
<dependency>
    <groupId>com.redhat.engineering</groupId>
    <artifactId>srcclr</artifactId>
    <version>1.6</version>
</dependency>

Gradle Groovy

// https://jarcasting.com/artifacts/com.redhat.engineering/srcclr/
implementation 'com.redhat.engineering:srcclr:1.6'

Gradle Kotlin

// https://jarcasting.com/artifacts/com.redhat.engineering/srcclr/
implementation ("com.redhat.engineering:srcclr:1.6")

Apache Buildr

'com.redhat.engineering:srcclr:jar:1.6'

Apache Ivy

<dependency org="com.redhat.engineering" name="srcclr" rev="1.6">
  <artifact name="srcclr" type="jar" />
</dependency>

Groovy Grape

@Grapes(
@Grab(group='com.redhat.engineering', module='srcclr', version='1.6')
)

Scala SBT

libraryDependencies += "com.redhat.engineering" % "srcclr" % "1.6"

Leiningen

[com.redhat.engineering/srcclr "1.6"]

Зависимости

compile (17)

Идентификатор библиотеки	Тип	Версия
org.slf4j : slf4j-api	jar	1.7.30
ch.qos.logback : logback-core	jar	1.2.3
ch.qos.logback : logback-classic	jar	1.2.3
org.zeroturnaround : zt-exec	jar	1.12
info.picocli : picocli	jar	4.6.1
com.fasterxml.jackson.core : jackson-annotations	jar	2.12.1
com.fasterxml.jackson.core : jackson-databind	jar	2.12.1
com.fasterxml.jackson.core : jackson-core	jar	2.12.1
org.apache.httpcomponents : httpclient	jar	4.5.9
org.apache.commons : commons-lang3	jar	3.11
commons-io : commons-io	jar	2.6
org.apache.commons : commons-compress	jar	1.20
org.goots : exploder	jar	0.5
org.goots : jdownloader	jar	0.3
org.simplejavamail : simple-java-mail	jar	5.0.8
com.konghq : unirest-java	jar	2.3.07
com.konghq : unirest-objectmapper-jackson	jar	2.3.07

provided (1)

Идентификатор библиотеки	Тип	Версия
org.projectlombok : lombok	jar	1.18.2

test (5)

Идентификатор библиотеки	Тип	Версия
junit : junit	jar	4.13.1
org.jboss.byteman : byteman-bmunit	jar	4.0.13
com.github.stefanbirkner : system-rules	jar	1.16.0
com.github.davidmoten : subethasmtp	jar	4.0-RC8
com.github.tomakehurst : wiremock-standalone	jar	2.19.0

Модули Проекта

Данный проект не имеет модулей.

SourceClear Invoker

This project is designed to project a simple wrapper around the existing SourceClear command line in order to provide the ability to parse the results and output a configurable JUnit pass/fail test. This can then be used as part of a pipeline in order to verify source repositories and final deliverables.

Requirements

glide: brew install glide on macOS, check here for installation instructions on other platforms
srcclr:
- Linux: SourceClear should be installed via its rpm (it should check for that). The yum repo for that is:

    [SourceClear]
    name=SourceClear
    baseurl=https://download.sourceclear.com/redhat/noarch/
    enabled=1
    gpgcheck=1
    gpgkey=https://download.sourceclear.com/redhat/SRCCLR-GPG-KEY

macOS: with homebrew - brew install srcclr

Usage

Currently this project will build a jar-with-dependencies although this is primarily aimed at local testing only. It provides a simplified interface to SourceClear e.g.

Usage: SrcClrWrapper [-dehV] [--email-address=<emailAddress>]
                     [--email-server=<emailServer>] [-c=<product>]
                     [--processor=<processor>] [-t=<threshold>] [COMMAND]
Wrap SourceClear and invoke it.
      --email-address=<emailAddress>[,<emailAddress>...]
                         Comma separated list of email addresses to notify. Domain portion of
                         first will be used as FROM address
      --email-server=<emailServer>
                         SMTP Server to use to send notification email
  -p, --product=<product>    Product Name
  -v, --product-version=<version>   Version of the product
  --memory               Memory allocation for the forked process. If not set will default to the current VM size.
  --package=<subpackage> CPE Subpackage Name
  --trace                Enables trace logging from SourceClear. Disables JSON output.
  --log                  Directory path to output log file containing results. Defaults to 'target'. Set to empty to disable.
  --json                 Directory path to output processed JSON as a file. Defaults to 'target'. Set to empty to disable.
  -d, --debug            Enable debug.
  -e, --exception        Throw exception on vulnerabilities found.
  -h, --help             Show this help message and exit.
  --processor=<processor>
                         Processor to use to analyse SourceClear results. Default is
                           'cvss'
  --profile=<profile>   Profile for VeraCode scanning. Defaults to empty
                            (default profile).
  -t, --threshold=<threshold>
                         Threshold on which exception is thrown. Only used with CVSS
                           Processor
  -V           Print version information and exit.


Usage: SrcClrWrapper scm [-dehV] [--ref=REF] --url=URL [-t=<threshold>]
Scan a SCM URL
      --ref=REF     the SCM reference (e.g. git sha, tag)
      --url=URL     the SCM url
  -d, --debug       Enable debug.
  -e, --exception   Throw exception on vulnerabilities found.
  -h, --help        Show this help message and exit.
  -t, --threshold=<threshold>
                    Threshold on which exception is thrown.
  -V    Print version information and exit.
  --maven-param     Extra Maven parameters

Note : for the SCM --url parameter both . and file:// URLs are supported to scan the local filesystem.


Usage: SrcClrWrapper binary [-dehV] --name=NAME --url=URL
                            [-t=<threshold>]
Scan a remote binary
      --url=URL     the remote file url
  -d, --debug       Enable debug.
  -e, --exception   Throw exception on vulnerabilities found.
  -h, --help        Show this help message and exit.
  -t, --threshold=<threshold>
                    Threshold on which exception is thrown.
  -V     Print version information and exit.

Its main use is to be ran inside Jenkins as a JUnit test suite e.g.

mvn -Dmaven.buildNumber.skip=true -Pjenkins clean test  '-DargLine=-Dsourceclear="--product-version=1.0.0 -p=koji-build-finder scm --url=https://github.com/release-engineering/koji-build-finder.git --ref=koji-build-finder-1.0.0"'

Features

It supports reading a configuration from the command or from $HOME/.srcclr/invoker.properties.
It can send a notification email to a specified email address with a summary of any problems found.
It can examine either the CVSS score returned from SourceClear or examine the CVE identifier and then query the results using the CPE (product name) against the Red Hat Security Data API ( https://access.redhat.com/labs/securitydataapi/ )
Sample Jenkins jobs are provided in the jenkins directory.

Notes

Currently the code requires the product name and version to be passed in. It will assemble a CPE from that information. While we did consider using the CPE parser library but due to the fact we are not currently parsing or comparing CPEs the extra library isn't required.

Версии библиотеки

Версия
1.6 9 февр. 2021 г.
1.5 5 янв. 2021 г.
1.4 21 нояб. 2019 г.
1.3 12 авг. 2019 г.
1.2 21 июн. 2019 г.
1.1 26 мар. 2019 г.
1.0 23 янв. 2019 г.
0.2 17 сент. 2018 г.

SourceClear JUnit Wrapper

Лицензия

Группа

Идентификатор

Последняя версия

Дата

Тип

Описание

Ссылка на сайт

Система контроля версий