Use Maven to Find Security Vulnerabilities and Viral Licenses in Applications


October 10, 2012 By Bentmann Benjamin

A few months ago, we launched Insight Application Health Check. Today, I’d like to announce another way to get started tracking licensing and security issues. In this post, I’m going to show you how to scan your project with nothing more than Maven and an existing project. You can get started with Insight without having to download a client or server. All you’ll need to do is run a simple plugin from the commandline.

To enable users to scan their applications, we provide an executable JAR with a graphical user interface. With this interface users are a few clicks away from results. But, even with this GUI, some users want to be able to use Insight’s Application Health Check from the command-line because sometimes “clicking” isn’t the most effective way to get something done. If you’re building your application using Apache Maven, you probably already have a terminal window open to invoke its build phases. So, while you’re in there, adding or updating some dependencies in your POM and repackaging your application, why not check whether this dependency update introduced some security vulnerability or license issue, especially if it’s as easy as adding another goal to your command line? Meet the Application Health Check Maven Plugin:

mvn package com.sonatype.insight:ahc:run -D ahc.email=my.name@mycompany.com

Right after all artifacts making up your application have been built, the ahc:run goal will collect their fingerprints and send them to the Insight service. The Insight service will match these fingerprints against a database of OSS licensing and security vulnerability data and identify potential problems. A few minutes after the plugin has uploaded the data, you receive an email with a link to your free Application Health Check report.

[INFO] --- ahc:1.21.2:run (default-cli) @ my-application ---
...
[INFO] Scan completed in 4 seconds
[INFO] Number of directories: 0
[INFO] Number of archives: 37
[INFO] Number of files: 3017
[INFO] Number of errors: 0
[INFO] Uploading scan to https://insight.sonatype.com/
[INFO] Report information will be emailed to my.name@mycompany.com 
       from insight-notification@sonatype.com
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS

Notice that you didn’t need to modify your POM to run the plugin. Nothing had to change. In fact, the plugin runs as well without a POM,
prompting you for the WAR/EAR/ZIP/TAR.GZ/etc. to be scanned. So whenever you’re in a terminal window and have Maven
installed, Application Health Check is right at your fingertips to tell you about security or license issues.

Of course, if you use the plugin on a regular basis to check your apps without having to pass in the full groupId and artifactId of the plugin you just have to make a few tweaks to your Maven settings file. Add the following settings file:

${user.home}/.m2/settings.xml

Then, enter the XML below in it:

<settings>
...
  <pluginGroups>
    <pluginGroup>com.sonatype.insight</pluginGroup>
...
  </pluginGroups>
  <profiles>
    <id>insight</id>
    <properties>
      <ahc.email>my.name@mycompany.com</ahc.email>
    </properties>
  </profiles>
  <activeProfiles>
    <activeProfile>insight</activeProfile>
  </activeProfiles>
</settings>

That blob of XML makes mvn package ahc:run a no-brainer. If you have a project and you want to get started tracking OSS licenses and vulnerabilities, this is the way to get started. We’ll scan your project and then send you an email with the results of the scan.

The plugin has a few more optional parameters e.g. to exclude proprietary packages or customize the report label. Just check out our knowledge base for the details.