Lessons

Scanning for Maven Security Vulnerabilities using Github Actions

In this lesson, I'm going to setup how to scan for security vulnerabilities in Maven packages. They will happen on every push to all branches using Github Actions. I will be leveraging this library.

The assumption is you have a Maven project setup and some basic understanding of Maven. First step is to build your JAR:

1
mvn clean package

You package should build without any issues. Next, you can try the security check:

1
mvn com.redhat.victims.maven:security-versions:check

This check may or may not return issues.

Github Actions

You should have access to Github Actions (as of writing its in private beta). You will need to create a new workflow file. You can run this command from your project's root directory:

1
2
mkdir -p .github/workflows/
touch .github/workflows/all_branches.yml

The contents should start as this:

1
2
3
4
5
6
7
8
9
10
11
12
name: AllBranchesCI
on:
  push:
    branches:
      - '*'
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v1
    - name: Run Security Checks
      run: echo "Hello World"

Commit that to your master branch. You may have to commit another file to run it. Verify it runs as expected.

Your Github Actions pipeline is as expected.

Running Security Check On Local

We will be running the security check with the output going into the file. We will grep the file for is vulnerable to . If it's true, then we will exit. This can all be done locally.

Create a folder called scripts and a subfolder called pipeline

1
mkdir -p scripts/pipeline/

Create an initial file.

1
touch scripts/pipeline/security_checks.sh

The contents will be as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Create brand new security_checks_log file.
rm -rf security_checks_log.txt
touch security_checks_log.txt

# Run security check
mvn com.redhat.victims.maven:security-versions:check >> security_checks_log.txt

# Check for security vulnerability
if grep -q "is vulnerable to" security_checks_log.txt
then
  echo "Yes, security vulnerabilities found."
  exit 1
fi

# Display security_logs
cat security_checks_log.txt

# Delete security check log file
rm security_checks_log.txt

You can run it with:

1
bash scripts/pipeline/security_checks.sh

Next step is to update the workflow to run it.

1
2
3
4
5
6
7
8
9
10
11
12
name: AllBranchesCI
on:
  push:
    branches:
      - '*'
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v1
    - name: Run Security Checks
      run: bash scripts/pipeline/security_checks.sh

I'm going to add a security vulnerability on purpose. Don't forget to remove it. Add this to your pom.xml:

1
2
3
4
5
<dependency>
    <groupId>org.apache.struts</groupId>
    <artifactId>struts2-core</artifactId>
    <version>2.0.5</version>
</dependency>

I removed the cat security_checks_log.txt temporarily. I ran the script locally.

Since it does detect it, we need to confirm the workflow fails. This avoids shipping an insecure JAR. Push to your remote branch.

Don't forget to remove the insecure dependency.

Conclusion

And that's it! You're all setup to catch security vulnerabilities in your Maven dependencies. This is a simple helpful layer to avoid known issues. I have lots more lessons on Github Actions, check them out! Thanks for reading!