Xanitizer » Integration » Maven

Maven Goals

Introduction

The Xanitizer Maven plugin contains the following Mojos for a Xanitizer security analysis:

Please note that the “Create Snapshot” Mojo has to be executed after all “Create Report” Mojos to show differences between the current version and the latest snapshot for trend monitoring in the reports. The “Export Project” Mojo has to be executed after the “Create Snapshot” Mojo so that the exported archive contains the snapshot, too.

Compatibility

Maven Plugin Version1.3.11.2.01.1.1
Xanitizer Version≥ 4.3.2≥ 4.3< 4.3
Maven Mojos
Run Security AnalysisIcon check greenIcon check greenIcon check green
Create ReportIcon check greenIcon check green
Create SnapshotIcon check greenIcon check green
Export ProjectIcon check greenIcon check green
Update OWASP Dependency Check RepositoryIcon check greenIcon check green
Install License FileIcon check green

Download and Installation

The Xanitizer plugin is provided from RIGS IT's Maven repository.

To use the repository, add the following lines to your pom.xml file:

<pluginRepositories>
    <pluginRepository>
        <releases>
            <enabled>true</enabled>
            <updatePolicy>always</updatePolicy>
            <checksumPolicy>fail</checksumPolicy>
        </releases>

        <id>XanitizerRepository</id>
        <name>XanitizerRepository</name>
        <url>https://rigs-it.com/maven2</url>
        <layout>default</layout>
    </pluginRepository>
</pluginRepositories>

In order to use the Maven Mojos, Xanitizer must be installed on the respective machine.

Run Security Analysis Mojo

This Mojo can run a Xanitizer security analysis containing the optional steps “export project”, “create report”, and “create snapshot”.

The Mojo can be configured like this:

...
<build>
    <plugins>
        <plugin>
            <groupId>com.rigsit</groupId>
            <artifactId>xanitizer-maven-plugin</artifactId>
            <configuration>
                <installDir></installDir>
                <logLevel></logLevel>
                <licenseServerRetryCount></licenseServerRetryCount>
                <proxyServer></proxyServer>
                <proxyPort></proxyPort>
                <proxyUser></proxyUser>
                <proxyPassword></proxyPassword>
                <configFile></configFile>
                <projectDataDirectory></projectDataDirectory>
                <haltOnMissingSearchPaths></haltOnMissingSearchPaths>
                <haltOnNewFindings></haltOnNewFindings>
                <haltOnFindings></haltOnFindings>
                <newFindingsRatingThreshold></newFindingsRatingThreshold>
                <findingsRatingThreshold></findingsRatingThreshold>
                <overviewReportOutputFile></overviewReportOutputFile>
                <findingsListReportOutputFile></findingsListReportOutputFile> 
                <onlyProblemsInFindingsListReport></onlyProblemsInFindingsListReport> 
                <generateDetailsInFindingsListReport></generateDetailsInFindingsListReport> 
                <createSnapshot></createSnapshot> 
                <snapshotComment></snapshotComment> 
                <exportDirectory></exportDirectory> 
                <exportPassphrase></exportPassphrase>
            </configuration>
            <executions>
                <execution>
                    <phase>verify</phase>
                    <inherited>false</inherited>
                    <goals>
                        <goal>runSecurityAnalysis</goal>
                    </goals>
                </execution>
            </executions></plugin>
        </plugins>
</build>
....

After the configuration, the following command line can be used to invoke the Maven goal 'runSecurityAnalysis':

mvn xanitizer:runSecurityAnalysis

For multi module projects and a given Xanitizer configuration file, please be aware that the Xanitizer “Run Security Analysis” Mojo is executed for each child module of the parent module with the goal 'runSecurityAnalysis'; this is not what is normally wanted. Therefore it is recommended to execute this goal on a childless module where the Xanitizer options have been configured. Another possibility is to set the property <inherited> to 'false'.

Note that the Xanitizer “Run Security Analysis” Mojo with a Xanitizer configuration file will get all necessary information about the project setup from the Xanitizer configuration file, not from the Maven environment. Thus, it is the task of the user to keep the configuration file and the Maven project in sync.

A description of the parameters can be found here.

Create Report Mojo

This Mojo can be used to create more then one report by executing the “Create Report” Mojo after the “Run Security Analysis” Mojo described above with different report settings. Please note that the “Create Snapshot” Mojo described below has to be executed after all “Create Report” Mojo calls to show differences between the current version and the latest snapshot for trend monitoring in the reports.

The Mojo can be configured like this:

...
<build>
    <plugins>
        <plugin>
            <groupId>com.rigsit</groupId>
            <artifactId>xanitizer-maven-plugin</artifactId>
            <configuration>
                <installDir></installDir>
                <logLevel></logLevel>
                <licenseServerRetryCount></licenseServerRetryCount>
                <proxyServer></proxyServer>
                <proxyPort></proxyPort>
                <proxyUser></proxyUser>
                <proxyPassword></proxyPassword>
                <configFile></configFile>
                <projectDataDirectory></projectDataDirectory>
                <overviewReportOutputFile></overviewReportOutputFile>
                <findingsListReportOutputFile></findingsListReportOutputFile> 
                <onlyProblemsInFindingsListReport></onlyProblemsInFindingsListReport> 
                <generateDetailsInFindingsListReport></generateDetailsInFindingsListReport> 
            </configuration>
            <executions>
                <execution>
                    <phase>verify</phase>
                    <inherited>false</inherited>
                    <goals>
                        <goal>createReport</goal>
                    </goals>
                </execution>
            </executions></plugin>
        </plugins>
</build>
....

After the configuration, the following command line can be used to invoke the Maven goal 'createReport':

mvn xanitizer:createReport

For multi module projects and a given Xanitizer configuration file, please be aware that the Xanitizer “Create Report” Mojo is executed for each child module of the parent module with the goal 'createReport'; this is not what is normally wanted. Therefore it is recommended to execute this goal on a childless module where the Xanitizer options have been configured. Another possibility is to set the property <inherited> to 'false'.

A description of the parameters can be found here.

Create Snapshot Mojo

This Mojo creates a snapshot of the current analysis state. Please note that the “Create Snapshot” Mojo has to be executed after all “Create Report” Mojo calls to show differences between the current version and the latest snapshot for trend monitoring in the reports.

The Mojo can be configured like this:

...
<build>
    <plugins>
        <plugin>
            <groupId>com.rigsit</groupId>
            <artifactId>xanitizer-maven-plugin</artifactId>
            <configuration>
                <installDir></installDir>
                <logLevel></logLevel>
                <licenseServerRetryCount></licenseServerRetryCount>
                <proxyServer></proxyServer>
                <proxyPort></proxyPort>
                <proxyUser></proxyUser>
                <proxyPassword></proxyPassword>
                <configFile></configFile>
                <projectDataDirectory></projectDataDirectory>
                <createSnapshot></createSnapshot> 
                <snapshotComment></snapshotComment> 
            </configuration>
            <executions>
                <execution>
                    <phase>verify</phase>
                    <inherited>false</inherited>
                    <goals>
                        <goal>createSnapshot</goal>
                    </goals>
                </execution>
            </executions></plugin>
        </plugins>
</build>
....

After the configuration, the following command line can be used to invoke the Maven goal 'createSnapshot':

mvn xanitizer:createSnapshot

For multi module projects and a given Xanitizer configuration file, please be aware that the Xanitizer “Create Snapshot” Mojo is executed for each child module of the parent module with the goal 'createSnapshot'; this is not what is normally wanted. Therefore it is recommended to execute this goal on a childless module where the Xanitizer options have been configured. Another possibility is to set the property <inherited> to 'false'.

A description of the parameters can be found here.

Export Project Mojo

This Mojo can be used to export the project as an optionally password protected zip archive to import it on another machine or by another user.

The Mojo can be configured like this:

...
<build>
    <plugins>
        <plugin>
            <groupId>com.rigsit</groupId>
            <artifactId>xanitizer-maven-plugin</artifactId>
            <configuration>
                <installDir></installDir>
                <logLevel></logLevel>
                <licenseServerRetryCount></licenseServerRetryCount>
                <proxyServer></proxyServer>
                <proxyPort></proxyPort>
                <proxyUser></proxyUser>
                <proxyPassword></proxyPassword>
                <configFile></configFile>
                <projectDataDirectory></projectDataDirectory>
                <exportDirectory></exportDirectory> 
                <exportPassphrase></exportPassphrase>
            </configuration>
            <executions>
                <execution>
                    <phase>verify</phase>
                    <inherited>false</inherited>
                    <goals>
                        <goal>exportProject</goal>
                    </goals>
                </execution>
            </executions></plugin>
        </plugins>
</build>
....

After the configuration, the following command line can be used to invoke the Maven goal 'exportProject':

mvn xanitizer:exportProject

For multi module projects and a given Xanitizer configuration file, please be aware that the Xanitizer “Export Project” Mojo is executed for each child module of the parent module with the goal 'exportProject'; this is not what is normally wanted. Therefore it is recommended to execute this goal on a childless module where the Xanitizer options have been configured. Another possibility is to set the property <inherited> to 'false'.

A description of the parameters can be found here.

Install License File Mojo

This Mojo can be used to install a new license file to run Xanitizer. If the license is a floating license and a proxy server is necessary to access the license server, please specify the proxy server settings. If no settings are specified, the settings from the Xanitizer properties file will be used.

The Mojo can be configured like this:

...
<build>
    <plugins>
        <plugin>
            <groupId>com.rigsit</groupId>
            <artifactId>xanitizer-maven-plugin</artifactId>
            <configuration>
                <installDir></installDir>
                <logLevel></logLevel>
                <licenseServerRetryCount></licenseServerRetryCount>
                <proxyServer></proxyServer>
                <proxyPort></proxyPort>
                <proxyUser></proxyUser>
                <proxyPassword></proxyPassword>
                <licenseFile></licenseFile>
            </configuration>
            <executions>
                <execution>
                    <phase>verify</phase>
                    <inherited>false</inherited>
                    <goals>
                        <goal>installLicenseFile</goal>
                    </goals>
                </execution>
            </executions></plugin>
        </plugins>
</build>
....

After the configuration, the following command line can be used to invoke the Maven goal 'installLicenseFile':

mvn xanitizer:installLicenseFile

For multi module projects and a given Xanitizer configuration file, please be aware that the Xanitizer “Install License File” Mojo is executed for each child module of the parent module with the goal 'installLicenseFile'; this is not what is normally wanted. Therefore it is recommended to execute this goal on a childless module where the Xanitizer options have been configured. Another possibility is to set the property <inherited> to 'false'.

A description of the parameters can be found here.

Update OWASP Dependency Check Repository Mojo

The OWASP Dependency Check is based on vulnerability data stored in a local repository. This Mojo can be used to update the OWASP Dependency Check repository periodically. To update the repository the Mojo needs remote access to the National Vulnerability Database (NIST). If a proxy server is necessary to access the internet, please specify the proxy server settings. If no settings are specified, the settings from the Xanitizer properties file will be used.

The Mojo can be configured like this:

...
<build>
    <plugins>
        <plugin>
            <groupId>com.rigsit</groupId>
            <artifactId>xanitizer-maven-plugin</artifactId>
            <configuration>
                <installDir></installDir>
                <logLevel></logLevel>
                <licenseServerRetryCount></licenseServerRetryCount>
                <proxyServer></proxyServer>
                <proxyPort></proxyPort>
                <proxyUser></proxyUser>
                <proxyPassword></proxyPassword>
            </configuration>
            <executions>
                <execution>
                    <phase>verify</phase>
                    <inherited>false</inherited>
                    <goals>
                        <goal>updateOwaspDependencyCheckRepository</goal>
                    </goals>
                </execution>
            </executions></plugin>
        </plugins>
</build>
....

After the configuration, the following command line can be used to invoke the Maven goal 'updateOwaspDependencyCheckRepository':

mvn xanitizer:updateOwaspDependencyCheckRepository

For multi module projects and a given Xanitizer configuration file, please be aware that the Xanitizer “Update OWASP Dependency Check Repository” Mojo is executed for each child module of the parent module with the goal 'updateOwaspDependencyCheckRepository'; this is not what is normally wanted. Therefore it is recommended to execute this goal on a childless module where the Xanitizer options have been configured. Another possibility is to set the property <inherited> to 'false'.

A description of the parameters can be found here.

Using Maven Profiles

If the POM file is also used by users without a Xanitizer installation, it possible to execute Xanitizer via a profile. Xanitizer will only be run if the profile is specified e.g. in the command line call parameters. An example of a Xanitizer profile to run a security analysis is:

...
<profiles>
    <profile>
        <id>xanitizer</id>
        <build>
            <plugins>
                <plugin>
                    <groupId>com.rigsit</groupId>
                    <artifactId>xanitizer-maven-plugin</artifactId>
                    <configuration>
                        <installDir>path to the installation directory</installDir>
                        <configFile>path to the Xanitizer configuration file</configFile>
                    </configuration>
                    <executions>
                        <execution>
                            <phase>verify</phase>
                            <inherited>false</inherited>
                            <goals>
                                <goal>runSecurityAnalysis</goal>
                            </goals>
                        </execution>
                    </executions>
                </plugin>
            </plugins>
        </build>
    </profile>
</profiles>
...

The command line call to run Maven with the Xanitizer profile is

mvn -Pxanitizer verify

Parameters

The parameters are given as XML elements, inside a <configuration> element, where the key is the name of the element, and the value is the text of the element.

There exists an alternative to using a <configuration> element for specifying the parameters for the analysis: They can also be specified via properties, by any of the mechanisms supported by Maven for specifying properties with their values. This way, they also can be specified in a settings.xml file, in the <properties> element inside a <profile> element. Note that in order to avoid name clashes with other properties, the property names must be prefixed with “xanitizer” and a dot, so that e.g. the property for the installation directory would be named xanitizer.installDir.

There are the following parameters for the Xanitizer Maven Mojos:

ParameterDefault ValueDescription
installDir<empty>This specifies the Xanitizer installation directory where the Maven Mojo can find the necessary Xanitizer command line application.
configFile<empty>The path to the Xanitizer configuration file of the project that should be analyzed.
Either this parameter or the parameter 'rootDirectory' must be specified, but not both.
rootDirectory<empty>The root directory, to be used for default set-ups.
Either this parameter or the parameter 'configFile' must be specified, but not both.
projectName<empty>The project name that should be used.
Only relevant if the parameter 'rootDirectory' is specified.
If not given, the simple name of the root directory is used.
configFileDirectory<empty>The directory where to put the generated configuration file.
Only relevant if the parameter 'rootDirectory' is specified.
If not given, the configuration file is generated in a subdirectory of the user's .Xanitizer directory.
overwriteConfigFilefalseBoolean flag specifying if an existing config file is to be overwritten.
Only relevant if the parameter 'rootDirectory' is specified.
projectDataDirectory<empty>Xanitizer's project data directory, if it is not the default one in <HOME>/.Xanitizer or the one specified in that default directory.
createSnapshotfalseBoolean flag specifying whether a snapshot should be created parsing and analyzing the current version or not.
snapshotComment<empty>Optional comment added to the newly created snapshot.
Only relevant if the parameter 'createSnapshot' is true.
overviewReportOutputFile<empty>The output location of the overview report.
This has to be either a file or the parameter has to be undefined or empty if no overview report should be written.
Allowed file extensions are: PDF, HTML, DOCX.
findingsListReportOutputFile<empty>The output location of the findings list report.
This has to be either a file or the parameter has to be undefined or empty if no findings list report should be written.
Allowed file extensions are: PDF, HTML, DOCX, XML, CSV.
onlyProblemsInFindingsListReportfalseBoolean flag specifying if only findings with problem classifications are written to the findings list report.
generateDetailsInFindingsListReportfalseBoolean flag specifying if all the details of a finding are written to the findings list report.
Note: Only relevant if the file extension of the parameter 'findingsListReportOutputFile' is XML or HTML.
exportDirectory<empty>The output directory of the project export.
Note: If the parameter is undefined or an empty string, the project is not exported.
exportPassphrase<empty>The pass phrase for the project export.
The parameter is only used if an export directory is set.
If the parameter is not set or empty, the exported project is not encrypted.
haltOnMissingSearchPathsfalseBoolean flag specifying whether the task should fail if there are search paths configured that do not exist anymore.
haltOnNewFindingsfalseBoolean flag specifying whether the task should fail if there are *NEW* findings with a rating equal or higher than the value defined for newFindingsRating.
newFindingsRatingThreshold5A rating value. Only used if haltOnNewFindings is set.
haltOnFindingsfalseBoolean flag specifying whether the task should fail if there are findings with a rating equal or higher than the value defined for findingsRating.
findingsRatingThreshold5A rating value. Only used if haltOnFindings is set.
licenseFile<empty>The path to the Xanitizer license file.
Note: If the license is a floating license and a proxy server is used to access the license server, please specify the proxy server settings.
If no settings are specified, the settings from the Xanitizer properties file will be used.
proxyServer<empty>Optional proxy server to access the internet to update the OWASP Dependency Check repository or to request a license token from the public license server in case of a floating license via a proxy.
Note: If no settings are specified, the settings from the Xanitizer properties file will be used.
proxyPort-1Optional proxy server port to access the National Vulnerability Database (NIST) to update the OWASP Dependency Check repository via a proxy.
proxyUser<empty>Optional proxy server user name to access the National Vulnerability Database (NIST) to update the OWASP Dependency Check repository via a proxy.
proxyPassword<empty>Optional proxy server user password to access the National Vulnerability Database (NIST) to update the OWASP Dependency Check repository via a proxy.
logLevelINFOThe logging level to be used when running Xanitizer.
Values: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL.
licenseServerRetryCount0Number of attempts to get a license token from the license server.
Note: If the used Xanitizer license is a machine bound license, this parameter will be ignored.
If the used Xanitizer license is a floating license it may happen that all tokens are in use or the connection to the license server is not available at startup. In such cases, no license token can be requested successfully from the license server to start Xanitizer and the headless process would terminate with a license error.
Setting this parameter to a value greater than zero, Xanitizer attempts every minute to request a license token until the specified count has been reached.
Setting this parameter to zero disables the repetition.

The parameters are given as XML elements, inside a <configuration> element, where the key is the name of the element, and the value is the text of the element.

There exists an alternative to using a <configuration> element for specifying the parameters for the analysis: They can also be specified via properties, by any of the mechanisms supported by Maven for specifying properties with their values. This way, they also can be specified in a settings.xml file, in the <properties> element inside a <profile> element. Note that in order to avoid name clashes with other properties, the property names must be prefixed with “xanitizer” and a dot, so that e.g. the property for the installation directory would be named xanitizer.installDir.

There are the following parameters for the Xanitizer Maven Mojos:

ParameterDefault ValueDescription
installDir<empty>This specifies the Xanitizer installation directory where the Maven Mojo can find the necessary Xanitizer command line application.
configFile<empty>The path to the Xanitizer configuration file of the project that should be analyzed.
Either this parameter or the parameter 'rootDirectory' must be specified, but not both.
rootDirectory<empty>The root directory, to be used for default set-ups.
Either this parameter or the parameter 'configFile' must be specified, but not both.
projectName<empty>The project name that should be used.
Only relevant if the parameter 'rootDirectory' is specified.
If not given, the simple name of the root directory is used.
configFileDirectory<empty>The directory where to put the generated configuration file.
Only relevant if the parameter 'rootDirectory' is specified.
If not given, the configuration file is generated in a subdirectory of the user's .Xanitizer directory.
overwriteConfigFilefalseBoolean flag specifying if an existing config file is to be overwritten.
Only relevant if the parameter 'rootDirectory' is specified.
projectDataDirectory<empty>Xanitizer's project data directory, if it is not the default one in <HOME>/.Xanitizer or the one specified in that default directory.
createSnapshotfalseBoolean flag specifying whether a snapshot should be created parsing and analyzing the current version or not.
snapshotComment<empty>Optional comment added to the newly created snapshot.
Only relevant if the parameter 'createSnapshot' is true.
overviewReportOutputFile<empty>The output location of the overview report.
This has to be either a file or the parameter has to be undefined or empty if no overview report should be written.
Allowed file extensions are: PDF, HTML, DOCX.
findingsListReportOutputFile<empty>The output location of the findings list report.
This has to be either a file or the parameter has to be undefined or empty if no findings list report should be written.
Allowed file extensions are: PDF, HTML, DOCX, XML, CSV.
onlyProblemsInFindingsListReportfalseBoolean flag specifying if only findings with problem classifications are written to the findings list report.
generateDetailsInFindingsListReportfalseBoolean flag specifying if all the details of a finding are written to the findings list report.
Note: Only relevant if the file extension of the parameter 'findingsListReportOutputFile' is XML or HTML.
exportDirectory<empty>The output directory of the project export.
Note: If the parameter is undefined or an empty string, the project is not exported.
exportPassphrase<empty>The pass phrase for the project export.
The parameter is only used if an export directory is set.
If the parameter is not set or empty, the exported project is not encrypted.
haltOnMissingSearchPathsfalseBoolean flag specifying whether the task should fail if there are search paths configured that do not exist anymore.
haltOnNewFindingsfalseBoolean flag specifying whether the task should fail if there are *NEW* findings with a rating equal or higher than the value defined for newFindingsRating.
newFindingsRatingThreshold5A rating value. Only used if haltOnNewFindings is set.
haltOnFindingsfalseBoolean flag specifying whether the task should fail if there are findings with a rating equal or higher than the value defined for findingsRating.
findingsRatingThreshold5A rating value. Only used if haltOnFindings is set.
licenseFile<empty>The path to the Xanitizer license file.
Note: If the license is a floating license and a proxy server is used to access the license server, please specify the proxy server settings.
If no settings are specified, the settings from the Xanitizer properties file will be used.
proxyServer<empty>Optional proxy server to access the internet to update the OWASP Dependency Check repository or to request a license token from the public license server in case of a floating license via a proxy.
Note: If no settings are specified, the settings from the Xanitizer properties file will be used.
proxyPort-1Optional proxy server port to access the National Vulnerability Database (NIST) to update the OWASP Dependency Check repository via a proxy.
proxyUser<empty>Optional proxy server user name to access the National Vulnerability Database (NIST) to update the OWASP Dependency Check repository via a proxy.
proxyPassword<empty>Optional proxy server user password to access the National Vulnerability Database (NIST) to update the OWASP Dependency Check repository via a proxy.
logLevelINFOThe logging level to be used when running Xanitizer.
Values: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL.
licenseServerRetryCount0Number of attempts to get a license token from the license server.
Note: If the used Xanitizer license is a machine bound license, this parameter will be ignored.
If the used Xanitizer license is a floating license it may happen that all tokens are in use or the connection to the license server is not available at startup. In such cases, no license token can be requested successfully from the license server to start Xanitizer and the headless process would terminate with a license error.
Setting this parameter to a value greater than zero, Xanitizer attempts every minute to request a license token until the specified count has been reached.
Setting this parameter to zero disables the repetition.

Examples

The Xanitizer tutorial uses the OWASP WebGoat project, which is part of each Xanitizer installation. WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. The folder “scripts” of the Xanitizer installation contains some examples pom.xml files which can be use to automatically detect security vulnerabilities inside the WebGoat project.