diff --git a/.gitignore b/.gitignore index 74c91e3..f5ed9fa 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,6 @@ /test/ae-vulnerability-mirror/ /.mvn/ + +# FIXME: how to deal with correlation data? Split? +/advisors/correlation/shared diff --git a/README.md b/README.md index b5d63de..d8a43f3 100644 --- a/README.md +++ b/README.md @@ -26,9 +26,9 @@ ## Build Instructions -Mirror the vulnerability databases once using the `mirror-database` profile: +Mirror the vulnerability databases once using the `mirror-download` profile: - mvn clean install -Pmirror-database,index-database + mvn clean install -Pmirror-download,mirror-index To successfully mirror the database an API-Key might be necessary if not provided already. Either create a new top-level directory `.maven` containing a `maven.config` file which should contain the following: @@ -37,7 +37,7 @@ Either create a new top-level directory `.maven` containing a `maven.config` fil Or append the flag directly via CLI: - mvn clean install -Pmirror-database,index-database -Dnvd.apikey= + mvn clean install -Pmirror-download,mirror-index -Dnvd.apikey= This process may take around 40 minutes. The process will create a local mirror of public vulnerability data in the `.database` folder. Rerun the process to update the data regularly. diff --git a/advisors/openssl-advisor/correlation/README.md b/advisors/correlation/README.md similarity index 100% rename from advisors/openssl-advisor/correlation/README.md rename to advisors/correlation/README.md diff --git a/advisors/example-advisor/assessment/baseline.yaml b/advisors/example-advisor/assessment/baseline.yaml index 27bfdc0..439c518 100755 --- a/advisors/example-advisor/assessment/baseline.yaml +++ b/advisors/example-advisor/assessment/baseline.yaml @@ -14,5 +14,7 @@ history: scope: inventory -cvssV3: MAV:A/MAC:H -cvssV2: AV:A +cvssV3: + lower: MAV:A/MAC:H +cvssV2: + lower: AV:A diff --git a/advisors/openssl-advisor/assessment/README.md b/advisors/openssl-1.1-advisor/assessment/README.md similarity index 100% rename from advisors/openssl-advisor/assessment/README.md rename to advisors/openssl-1.1-advisor/assessment/README.md diff --git a/advisors/openssl-1.1-advisor/assessment/baseline.yaml_ b/advisors/openssl-1.1-advisor/assessment/baseline.yaml_ new file mode 100755 index 0000000..e9337e0 --- /dev/null +++ b/advisors/openssl-1.1-advisor/assessment/baseline.yaml_ @@ -0,0 +1,20 @@ +history: + - rationale: + "

+ The application services are operated in an isolated network. No direct access from the external adversaries + shall be possible. +

+

+ The CVSS vectors have been adjusted to expect that an adversary must have access to the network the + application service are deployed (MAV:A; AV:A). Additional privileges are required (MAC:H) as the adversary + must have already passed the gateway-level security perimeter or the physical protection of the data center. +

" + date: 2024-08-24 + author: KKL + +scope: inventory + +cvssV3: + lower: MAV:A/MAC:H +cvssV2: + lower: AV:A diff --git a/advisors/openssl-1.1-advisor/context/CTX_external-attackers.yaml b/advisors/openssl-1.1-advisor/context/CTX_external-attackers.yaml new file mode 100755 index 0000000..ec972aa --- /dev/null +++ b/advisors/openssl-1.1-advisor/context/CTX_external-attackers.yaml @@ -0,0 +1,21 @@ +sets: + - name: external attacker + category: external threat + score: 3.0 + min: + - amount: 1 + keywords: + - external attacker + - external attackers + - external adversary + - external adversaries + - external user + - remote attacker + - remote attackers + - remote adversary + - remote adversaries + - remote code execution + - remote code executions + - RCE + - execute arbitrary code + - initiate the attack remotely diff --git a/advisors/openssl-1.1-advisor/context/CTX_information-disclosure.yaml b/advisors/openssl-1.1-advisor/context/CTX_information-disclosure.yaml new file mode 100755 index 0000000..40856a7 --- /dev/null +++ b/advisors/openssl-1.1-advisor/context/CTX_information-disclosure.yaml @@ -0,0 +1,19 @@ +sets: + - name: information disclosure + category: confidentiality threat + score: 3.0 + min: + - amount: 1 + keywords: + - information disclosure + - making private services on the VM accessible to the network + - leaking credential + - leaked credential + - leaked credentials + - credential leak + - credentials leak + - exposed credantial + - credential exposed + - credentials exposed + - readable by unauthorized + - readable by unauthorised diff --git a/advisors/openssl-1.1-advisor/context/CTX_malicious-content.yaml b/advisors/openssl-1.1-advisor/context/CTX_malicious-content.yaml new file mode 100755 index 0000000..d0e219c --- /dev/null +++ b/advisors/openssl-1.1-advisor/context/CTX_malicious-content.yaml @@ -0,0 +1,17 @@ +sets: + - name: malicious content + category: integrity threat + score: 3.0 + min: + - amount: 1 + keywords: + - request smuggling + - missing input validation + - SQL injection + - sql injection + - sql-injection + - XML External Entity Injection + - XML Entity Expansion + - XXE + - specifically crafted request + - specifically crafted conent diff --git a/advisors/openssl-1.1-advisor/context/CTX_privilege-escalation.yaml b/advisors/openssl-1.1-advisor/context/CTX_privilege-escalation.yaml new file mode 100755 index 0000000..01250bb --- /dev/null +++ b/advisors/openssl-1.1-advisor/context/CTX_privilege-escalation.yaml @@ -0,0 +1,14 @@ +sets: + - name: privilege escalation + category: general threat + score: 3.0 + min: + - amount: 1 + keywords: + - privilege escalation + - jailbreak + - container escape + - to access any other file + - arbitrary code execution + - allows unauthorized acccess + - allows unauthorised acccess diff --git a/advisors/openssl-1.1-advisor/context/CTX_request-forgery.yaml b/advisors/openssl-1.1-advisor/context/CTX_request-forgery.yaml new file mode 100755 index 0000000..138095b --- /dev/null +++ b/advisors/openssl-1.1-advisor/context/CTX_request-forgery.yaml @@ -0,0 +1,10 @@ +sets: + - name: request forgery + category: external threat + score: 2.0 + min: + - amount: 1 + keywords: + - cross-site request forgery + - CSFR + - forge requests diff --git a/advisors/openssl-1.1-advisor/context/CTX_resource-exemption.yaml b/advisors/openssl-1.1-advisor/context/CTX_resource-exemption.yaml new file mode 100755 index 0000000..2bc3bfb --- /dev/null +++ b/advisors/openssl-1.1-advisor/context/CTX_resource-exemption.yaml @@ -0,0 +1,14 @@ +sets: + - name: resource exemption + category: external threat + score: 1.0 + min: + - amount: 1 + keywords: + - resource consumption + - resource exemption + - denial of service + - denial of service attacks + - connection pool exhaustion + - memory leak + - resource leak diff --git a/advisors/openssl-advisor/context/README.md b/advisors/openssl-1.1-advisor/context/README.md similarity index 76% rename from advisors/openssl-advisor/context/README.md rename to advisors/openssl-1.1-advisor/context/README.md index f5eec57..a21f1da 100755 --- a/advisors/openssl-advisor/context/README.md +++ b/advisors/openssl-1.1-advisor/context/README.md @@ -1,5 +1,3 @@ # Vulnerability Context Definition Within the folder `context` configurations can be places that help to prioritize vulnerabilities on a general level. - -Currently, no context information is provided. \ No newline at end of file diff --git a/advisors/openssl-1.1-advisor/inventory/openssl-inventory.xls b/advisors/openssl-1.1-advisor/inventory/openssl-inventory.xls new file mode 100644 index 0000000..0f9d3ff Binary files /dev/null and b/advisors/openssl-1.1-advisor/inventory/openssl-inventory.xls differ diff --git a/advisors/openssl-1.1-advisor/pom.xml b/advisors/openssl-1.1-advisor/pom.xml new file mode 100755 index 0000000..38ef047 --- /dev/null +++ b/advisors/openssl-1.1-advisor/pom.xml @@ -0,0 +1,50 @@ + + + 4.0.0 + + + org.metaeffekt.example.documentation + ae-advisors + 1.0.0-SNAPSHOT + + + ae-openssl-1.1-advisor + jar + + + ${project.basedir}/inventory/openssl-inventory.xls + + OpenSSL-1.1.1o + Vulnerability Assessment Dashboard + Demo Dashboard for OpenSSL-1.1.1o + + + + + + org.apache.maven.plugins + maven-dependency-plugin + + + org.metaeffekt.core + ae-inventory-maven-plugin + + + + com.metaeffekt.artifact.analysis + ae-inventory-enrichment-plugin + + + + + + + org.metaeffekt.example.documentation + ae-inventory-extractor + ${project.version} + provided + + + + diff --git a/advisors/openssl-3.0-advisor/assessment/README.md b/advisors/openssl-3.0-advisor/assessment/README.md new file mode 100755 index 0000000..6bb164e --- /dev/null +++ b/advisors/openssl-3.0-advisor/assessment/README.md @@ -0,0 +1,8 @@ +# Vulnerability Assessment + +The `assessment` folder container yaml files that contain context-specific assessment information. + +The example uses an assessment of CVE-2021-44228 (here as an applicable vulnerability) and CVE-2021-45046 as +vulnerability that is not applicable, because the affected MDC feature is not used in this context. + +The example is artifical and meant to illustrate the different options for vulnerability assessment. \ No newline at end of file diff --git a/advisors/openssl-3.0-advisor/assessment/baseline.yaml_ b/advisors/openssl-3.0-advisor/assessment/baseline.yaml_ new file mode 100755 index 0000000..e9337e0 --- /dev/null +++ b/advisors/openssl-3.0-advisor/assessment/baseline.yaml_ @@ -0,0 +1,20 @@ +history: + - rationale: + "

+ The application services are operated in an isolated network. No direct access from the external adversaries + shall be possible. +

+

+ The CVSS vectors have been adjusted to expect that an adversary must have access to the network the + application service are deployed (MAV:A; AV:A). Additional privileges are required (MAC:H) as the adversary + must have already passed the gateway-level security perimeter or the physical protection of the data center. +

" + date: 2024-08-24 + author: KKL + +scope: inventory + +cvssV3: + lower: MAV:A/MAC:H +cvssV2: + lower: AV:A diff --git a/advisors/openssl-3.0-advisor/context/CTX_external-attackers.yaml b/advisors/openssl-3.0-advisor/context/CTX_external-attackers.yaml new file mode 100755 index 0000000..ec972aa --- /dev/null +++ b/advisors/openssl-3.0-advisor/context/CTX_external-attackers.yaml @@ -0,0 +1,21 @@ +sets: + - name: external attacker + category: external threat + score: 3.0 + min: + - amount: 1 + keywords: + - external attacker + - external attackers + - external adversary + - external adversaries + - external user + - remote attacker + - remote attackers + - remote adversary + - remote adversaries + - remote code execution + - remote code executions + - RCE + - execute arbitrary code + - initiate the attack remotely diff --git a/advisors/openssl-3.0-advisor/context/CTX_information-disclosure.yaml b/advisors/openssl-3.0-advisor/context/CTX_information-disclosure.yaml new file mode 100755 index 0000000..40856a7 --- /dev/null +++ b/advisors/openssl-3.0-advisor/context/CTX_information-disclosure.yaml @@ -0,0 +1,19 @@ +sets: + - name: information disclosure + category: confidentiality threat + score: 3.0 + min: + - amount: 1 + keywords: + - information disclosure + - making private services on the VM accessible to the network + - leaking credential + - leaked credential + - leaked credentials + - credential leak + - credentials leak + - exposed credantial + - credential exposed + - credentials exposed + - readable by unauthorized + - readable by unauthorised diff --git a/advisors/openssl-3.0-advisor/context/CTX_malicious-content.yaml b/advisors/openssl-3.0-advisor/context/CTX_malicious-content.yaml new file mode 100755 index 0000000..d0e219c --- /dev/null +++ b/advisors/openssl-3.0-advisor/context/CTX_malicious-content.yaml @@ -0,0 +1,17 @@ +sets: + - name: malicious content + category: integrity threat + score: 3.0 + min: + - amount: 1 + keywords: + - request smuggling + - missing input validation + - SQL injection + - sql injection + - sql-injection + - XML External Entity Injection + - XML Entity Expansion + - XXE + - specifically crafted request + - specifically crafted conent diff --git a/advisors/openssl-3.0-advisor/context/CTX_privilege-escalation.yaml b/advisors/openssl-3.0-advisor/context/CTX_privilege-escalation.yaml new file mode 100755 index 0000000..01250bb --- /dev/null +++ b/advisors/openssl-3.0-advisor/context/CTX_privilege-escalation.yaml @@ -0,0 +1,14 @@ +sets: + - name: privilege escalation + category: general threat + score: 3.0 + min: + - amount: 1 + keywords: + - privilege escalation + - jailbreak + - container escape + - to access any other file + - arbitrary code execution + - allows unauthorized acccess + - allows unauthorised acccess diff --git a/advisors/openssl-3.0-advisor/context/CTX_request-forgery.yaml b/advisors/openssl-3.0-advisor/context/CTX_request-forgery.yaml new file mode 100755 index 0000000..138095b --- /dev/null +++ b/advisors/openssl-3.0-advisor/context/CTX_request-forgery.yaml @@ -0,0 +1,10 @@ +sets: + - name: request forgery + category: external threat + score: 2.0 + min: + - amount: 1 + keywords: + - cross-site request forgery + - CSFR + - forge requests diff --git a/advisors/openssl-3.0-advisor/context/CTX_resource-exemption.yaml b/advisors/openssl-3.0-advisor/context/CTX_resource-exemption.yaml new file mode 100755 index 0000000..2bc3bfb --- /dev/null +++ b/advisors/openssl-3.0-advisor/context/CTX_resource-exemption.yaml @@ -0,0 +1,14 @@ +sets: + - name: resource exemption + category: external threat + score: 1.0 + min: + - amount: 1 + keywords: + - resource consumption + - resource exemption + - denial of service + - denial of service attacks + - connection pool exhaustion + - memory leak + - resource leak diff --git a/advisors/openssl-3.0-advisor/context/README.md b/advisors/openssl-3.0-advisor/context/README.md new file mode 100755 index 0000000..a21f1da --- /dev/null +++ b/advisors/openssl-3.0-advisor/context/README.md @@ -0,0 +1,3 @@ +# Vulnerability Context Definition + +Within the folder `context` configurations can be places that help to prioritize vulnerabilities on a general level. diff --git a/advisors/openssl-3.0-advisor/inventory/openssl-inventory.xls b/advisors/openssl-3.0-advisor/inventory/openssl-inventory.xls new file mode 100644 index 0000000..791b55c Binary files /dev/null and b/advisors/openssl-3.0-advisor/inventory/openssl-inventory.xls differ diff --git a/advisors/openssl-advisor/pom.xml b/advisors/openssl-3.0-advisor/pom.xml similarity index 80% rename from advisors/openssl-advisor/pom.xml rename to advisors/openssl-3.0-advisor/pom.xml index e0dfaed..87044d5 100755 --- a/advisors/openssl-advisor/pom.xml +++ b/advisors/openssl-3.0-advisor/pom.xml @@ -9,12 +9,15 @@ 1.0.0-SNAPSHOT - ae-openssl-advisor + ae-openssl-3.0-advisor jar - ${project.build.directory}/input/inventory/ae-inventory-extractor-inventory.xls - correlation + ${project.basedir}/inventory/openssl-inventory.xls + + OpenSSL-3.0.6 + Vulnerability Assessment Dashboard + Demo Dashboard for OpenSSL-3.0.6 diff --git a/advisors/openssl-advisor/correlation/example.yaml b/advisors/openssl-advisor/correlation/example.yaml deleted file mode 100755 index 887f19d..0000000 --- a/advisors/openssl-advisor/correlation/example.yaml +++ /dev/null @@ -1,16 +0,0 @@ -- Id: openssl-1.1.1i - Version: 1.1.1i - CPE URIs: cpe:/a:openssl_project:openssl, cpe:/a:openssl:openssl -- Id: openssl-1.1.1a - Version: 1.1.1a - CPE URIs: cpe:/a:openssl_project:openssl, cpe:/a:openssl:openssl -- Id: openssl-1.1.1o - Version: 1.1.1o - CPE URIs: cpe:/a:openssl_project:openssl, cpe:/a:openssl:openssl -- Id: openssl-3.0.3 - Version: 3.0.3 - CPE URIs: cpe:/a:openssl_project:openssl, cpe:/a:openssl:openssl -- Id: openssl-3.0.0 - Version: 3.0.0 - CPE URIs: cpe:/a:openssl_project:openssl, cpe:/a:openssl:openssl - diff --git a/advisors/pom.xml b/advisors/pom.xml index 2f7e118..d11327f 100755 --- a/advisors/pom.xml +++ b/advisors/pom.xml @@ -15,7 +15,8 @@ example-advisor - openssl-advisor + openssl-1.1-advisor + openssl-3.0-advisor selected-component-advisor @@ -56,6 +57,7 @@ false true true + false true true true @@ -65,6 +67,10 @@ true process-resources + + Vulnerability Assessment Dashboard + ${project.artifactId} + ${project.artifactId} @@ -155,6 +161,28 @@ ${ae.artifact.analysis.version} + + set-inventory-info + generate-resources + + set-inventory-info + + + true + + vad-customization + + ${dashboard.title} + ${dashboard.subtitle} +
${dashboard.footer}
+ + + ${input.inventory} + ${input.inventory} + + + + inventory-enrichment-advise-correlate-execution generate-resources @@ -249,7 +277,7 @@ - ${activate.ghsa} + ${activate.ghsa.correlation} true false true diff --git a/advisors/security-policy-dashboard.json b/advisors/security-policy-dashboard.json index 4188ebb..d03afd1 100644 --- a/advisors/security-policy-dashboard.json +++ b/advisors/security-policy-dashboard.json @@ -1,12 +1,37 @@ { "insignificantThreshold": 7.0, "includeScoreThreshold": -1.0, - "includeVulnerabilitiesWithAdvisoryProviders": ["all"], - "includeAdvisoryProviders": ["all"], + "includeVulnerabilitiesWithAdvisoryProviders": [{"implementation":"all","name":"all"}], + "includeAdvisoryProviders": [{"implementation":"all","name":"all"}], "includeAdvisoryTypes": ["all"], "vulnerabilityStatusDisplayMapperName": "abstracted", "cvssSeverityRanges": "None:pastel-gray:0.0:0.0,Low:strong-yellow:0.1:3.9,Medium:strong-light-orange:4.0:6.9,High:strong-dark-orange:7.0:8.9,Critical:strong-red:9.0:100.0", "cvssVersionSelectionPolicy": ["LATEST"], "initialCvssSelector": {"stats":[],"rules":[{"method":"ALL","stats":[],"selector":[{"host":["NVD"],"issuerRole":["CNA"],"issuer":["NVD"]},{"host":["Microsoft Corporation"],"issuerRole":["*"],"issuer":["*"]},{"host":["NVD"],"issuerRole":["CNA"],"issuer":["Microsoft Corporation"]},{"host":["GitHub, Inc."],"issuerRole":["*"],"issuer":["*"]},{"host":["NVD"],"issuerRole":["CNA"],"issuer":["GitHub, Inc."]},{"host":["NVD"],"issuerRole":["*"],"issuer":["*"]},{"host":["CERT-SEI"],"issuerRole":["*"],"issuer":["*"]},{"host":["not:Assessment"],"issuerRole":["*"],"issuer":["*"]}],"vectorEval":[]}],"vectorEval":[]}, - "contextCvssSelector": {"stats":[{"comparator":"EQUAL","action":"RETURN_NULL","attribute":"assessment","value":0}],"rules":[{"method":"ALL","stats":[],"selector":[{"host":["NVD"],"issuerRole":["CNA"],"issuer":["NVD"]},{"host":["Microsoft Corporation"],"issuerRole":["*"],"issuer":["*"]},{"host":["NVD"],"issuerRole":["CNA"],"issuer":["Microsoft Corporation"]},{"host":["GitHub, Inc."],"issuerRole":["*"],"issuer":["*"]},{"host":["NVD"],"issuerRole":["CNA"],"issuer":["GitHub, Inc."]},{"host":["NVD"],"issuerRole":["*"],"issuer":["*"]},{"host":["CERT-SEI"],"issuerRole":["*"],"issuer":["*"]},{"host":["not:Assessment"],"issuerRole":["*"],"issuer":["*"]}],"vectorEval":[]},{"method":"ALL","stats":[{"provider":"PRESENCE","attribute":"assessment","setType":"ADD"}],"selector":[{"host":["Assessment"],"issuerRole":["*"],"issuer":["all"]}],"vectorEval":[]},{"method":"LOWER","stats":[{"provider":"PRESENCE","attribute":"assessment","setType":"ADD"}],"selector":[{"host":["Assessment"],"issuerRole":["*"],"issuer":["lower"]}],"vectorEval":[]},{"method":"HIGHER","stats":[{"provider":"PRESENCE","attribute":"assessment","setType":"ADD"}],"selector":[{"host":["Assessment"],"issuerRole":["*"],"issuer":["higher"]}],"vectorEval":[]}],"vectorEval":[{"and":["not:IS_BASE_FULLY_DEFINED"],"action":"RETURN_NULL"}]} + "contextCvssSelector": {"stats":[{"comparator":"EQUAL","action":"RETURN_NULL","attribute":"assessment","value":0}],"rules":[{"method":"ALL","stats":[],"selector":[{"host":["NVD"],"issuerRole":["CNA"],"issuer":["NVD"]},{"host":["Microsoft Corporation"],"issuerRole":["*"],"issuer":["*"]},{"host":["NVD"],"issuerRole":["CNA"],"issuer":["Microsoft Corporation"]},{"host":["GitHub, Inc."],"issuerRole":["*"],"issuer":["*"]},{"host":["NVD"],"issuerRole":["CNA"],"issuer":["GitHub, Inc."]},{"host":["NVD"],"issuerRole":["*"],"issuer":["*"]},{"host":["CERT-SEI"],"issuerRole":["*"],"issuer":["*"]},{"host":["not:Assessment"],"issuerRole":["*"],"issuer":["*"]}],"vectorEval":[]},{"method":"ALL","stats":[{"provider":"PRESENCE","attribute":"assessment","setType":"ADD"}],"selector":[{"host":["Assessment"],"issuerRole":["*"],"issuer":["all"]}],"vectorEval":[]},{"method":"LOWER","stats":[{"provider":"PRESENCE","attribute":"assessment","setType":"ADD"}],"selector":[{"host":["Assessment"],"issuerRole":["*"],"issuer":["lower"]}],"vectorEval":[]},{"method":"HIGHER","stats":[{"provider":"PRESENCE","attribute":"assessment","setType":"ADD"}],"selector":[{"host":["Assessment"],"issuerRole":["*"],"issuer":["higher"]}],"vectorEval":[]}],"vectorEval":[{"and":["not:IS_BASE_FULLY_DEFINED"],"action":"RETURN_NULL"}]}, + "priorityScoreConfiguration": { + "eol": { + "noExtendedSupport": { + "supportValid": 0, + "supportEndingSoon": 1, + "supportExpired": 2 + }, + "extendedSupport": { + "supportValid": 0, + "supportEndingSoon": 1, + "extendedSupportValid": 1, + "extendedSupportEndingSoon": 1, + "extendedSupportExpired": 2 + } + }, + "epss": { + "min": 0.5, + "f": 0.5, + "F": 1 + }, + "kev": { + "exploit": 2, + "ransomware": 1 + } + } } \ No newline at end of file diff --git a/extractors/inventory-extractors/ae-inventory-extractor/src/main/resources/inventory/ae-inventory-extractor-inventory.xls b/extractors/inventory-extractors/ae-inventory-extractor/src/main/resources/inventory/ae-inventory-extractor-inventory.xls index 87ceb9b..58b0c2e 100644 Binary files a/extractors/inventory-extractors/ae-inventory-extractor/src/main/resources/inventory/ae-inventory-extractor-inventory.xls and b/extractors/inventory-extractors/ae-inventory-extractor/src/main/resources/inventory/ae-inventory-extractor-inventory.xls differ diff --git a/extractors/pom-extractors/ae-pom-extractor/pom.xml b/extractors/pom-extractors/ae-pom-extractor/pom.xml new file mode 100755 index 0000000..51b1b9c --- /dev/null +++ b/extractors/pom-extractors/ae-pom-extractor/pom.xml @@ -0,0 +1,113 @@ + + + 4.0.0 + + + org.metaeffekt.example.documentation + ae-pom-extractors + 1.0.0-SNAPSHOT + ../pom.xml + + + ae-pom-extractor + jar + + + + + org.metaeffekt.core + ae-inventory-maven-plugin + + + + com.metaeffekt.artifact.analysis + ae-artifact-analysis-plugin + + + + + + + org.metaeffekt.core + ae-inventory-maven-plugin + ${ae.core.version} + + + + extract-from-pom + + create-pom-report + + process-sources + + + + + false + false + false + false + + + false + false + + ${project.build.directory} + *.xls + false + + + + + org.apache.logging.log4j + log4j-core + 2.20.0 + + + + + + com.metaeffekt.artifact.analysis + ae-artifact-analysis-plugin + ${ae.artifact.analysis.version} + + + export-spdx + compile + + export-inventory-to-spdx + + + + + ${project.build.directory}/inventory/${project.artifactId}-${project.version}-inventory.xls + ${project.build.directory}/spdx + + com.metaeffekt.universe + ae-metaeffekt-universe + 1.7.0 + + ${universe.consumer.password} + ${universe.consumer.keys} + + + + + + + + + org.springframework + spring-context + 5.3.14 + + + + org.apache.logging.log4j + log4j-core + 2.14.0 + + + + diff --git a/extractors/pom-extractors/pom.xml b/extractors/pom-extractors/pom.xml new file mode 100755 index 0000000..7915a23 --- /dev/null +++ b/extractors/pom-extractors/pom.xml @@ -0,0 +1,25 @@ + + + + 4.0.0 + + + org.metaeffekt.example.documentation + ae-extractors + 1.0.0-SNAPSHOT + + + ae-pom-extractors + pom + + + + false + + + + ae-pom-extractor + + + diff --git a/mirror/pom-deprecated.xml b/mirror/pom-deprecated.xml deleted file mode 100644 index 9b9a28c..0000000 --- a/mirror/pom-deprecated.xml +++ /dev/null @@ -1,192 +0,0 @@ - - - - ae-documentation - org.metaeffekt.example.documentation - 1.0.0-SNAPSHOT - - 4.0.0 - - ae-mirror - - - - ${project.basedir}/../.database/ae-vulnerability-mirror-v2 - - none - none - -1 - none - none - - - - - mirror-database - - - - - com.metaeffekt.artifact.analysis - ae-mirror-plugin - ${ae.artifact.analysis.version} - - - - data-mirror - - data-mirror - - - - - ${input.database} - - - ${proxy.scheme} - ${proxy.host} - ${proxy.user} - ${proxy.pass} - ${proxy.port} - - - - - - - https://kb.cert.org/vuls/api/%d/summary/ - - https://kb.cert.org/vuls/api/%s/ - - - - - - - https://www.cert.ssi.gouv.fr/tar/%d.tar - - https://www.cert.ssi.gouv.fr/feed/ - - - - - - - - https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz - - https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta - - https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz - - https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.meta - - - - - - - - https://nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.zip - - https://nvd.nist.gov/feeds/json/cpematch/1.0/nvdcpematch-1.0.json.zip - - - - - - - https://api.msrc.microsoft.com/cvrf/v2.0/updates - - https://api.msrc.microsoft.com/cvrf/v2.0/cvrf/%s - - - - - - - false - - - https://github.com/github/advisory-database - - https://github.com/github/advisory-database/archive/refs/heads/main.zip - - - - - - - - - - - - - index-database - - - - - com.metaeffekt.artifact.analysis - ae-mirror-plugin - ${ae.artifact.analysis.version} - - - - data-index - - data-mirror - - - - ${input.database} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/mirror/pom.xml b/mirror/pom.xml index 2bc9a95..aedf017 100644 --- a/mirror/pom.xml +++ b/mirror/pom.xml @@ -29,7 +29,7 @@ - mirror-database + mirror-download @@ -210,7 +210,7 @@ - index-database + mirror-index diff --git a/pom.xml b/pom.xml index 09d7010..ec48be5 100755 --- a/pom.xml +++ b/pom.xml @@ -18,8 +18,8 @@ - 0.113.0 - 0.107.0 + HEAD-SNAPSHOT + HEAD-SNAPSHOT 0.29.0 false @@ -86,13 +86,13 @@ - mirror-database + mirror-download mirror - index-database + mirror-index mirror