Added a first iteration of a contextualized keycloak inventory with i…

…nventory assessment

Signed-off-by: ywittmann <[email protected]>

advisors/keycloak-contextualized-advisor/assessment/inventory-scope.yaml

@@ -0,0 +1,8 @@
+scope: inventory
+
+cvssV4:
+  lower: MAV:A
+cvssV3:
+  lower: MAV:A
+cvssV2:
+  lower: AV:A

advisors/keycloak-contextualized-advisor/pom.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.metaeffekt.example.documentation</groupId>
+        <artifactId>ae-advisors</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>ae-keycloak-contextualized-advisor</artifactId>
+    <packaging>jar</packaging>
+
+    <properties>
+        <input.inventory>${project.basedir}/inventory/ae-example-keycloak-25.0.0.xlsx</input.inventory>
+
+        <dashboard.title>Keycloak</dashboard.title>
+        <dashboard.subtitle>Vulnerability Assessment Dashboard</dashboard.subtitle>
+        <dashboard.footer>Demo Dashboard for Keycloak</dashboard.footer>
+    </properties>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.metaeffekt.core</groupId>
+                <artifactId>ae-inventory-maven-plugin</artifactId>
+            </plugin>
+            <!-- FIXME: fix plugins; remove configuration on project level -->
+            <plugin>
+                <groupId>com.metaeffekt.artifact.analysis</groupId>
+                <artifactId>ae-inventory-enrichment-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.metaeffekt.example.documentation</groupId>
+            <artifactId>ae-inventory-extractor</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+    </dependencies>
+
+</project>

advisors/pom.xml

@@ -16,6 +16,7 @@
         <module>example-advisor</module>
 
         <module>keycloak-advisor</module>
+        <module>keycloak-contextualized-advisor</module>
         <module>openssl-1.1-advisor</module>
         <module>openssl-3.0-advisor</module>
         <module>selected-component-advisor</module>

documents/reports/keycloak-contextualized-report/pom.xml

@@ -0,0 +1,164 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.metaeffekt.example.documentation</groupId>
+        <artifactId>ae-reports</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>keycloak-contextualized-report</artifactId>
+    <packaging>jar</packaging>
+
+    <properties>
+        <document.version>00.01</document.version>
+        <document.status_en>Draft</document.status_en>
+
+        <asset.id>Keycloak</asset.id>
+        <asset.name>Keycloak</asset.name>
+        <asset.version>${project.version}</asset.version>
+
+        <document.id>XXXX-YYY-ZZ-VR</document.id>
+
+        <document.version>0.1</document.version>
+        <document.status_en>Preview</document.status_en>
+        <document.classifier>vulnerability-report_en</document.classifier>
+    </properties>
+
+    <build>
+        <pluginManagement>
+            <plugins>
+
+				<plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-dependency-plugin</artifactId>
+                    <executions>
+                        <execution>
+                            <id>unpack-inventories</id>
+                            <goals>
+                                <goal>unpack-dependencies</goal>
+                            </goals>
+                            <phase>generate-sources</phase>
+                            <configuration>
+                                <outputDirectory>${project.build.directory}/inventories</outputDirectory>
+                                <includeScope>provided</includeScope>
+                                <includes>**/*-inventory*.xls</includes>
+                                <overWriteSnapshots>true</overWriteSnapshots>
+                            </configuration>
+                        </execution>
+                        <execution>
+                            <id>unpack-advisor-resource</id>
+                            <goals>
+                                <goal>unpack-dependencies</goal>
+                            </goals>
+                            <phase>generate-sources</phase>
+                            <configuration>
+                                <outputDirectory>${project.basedir}/src/main/dita/${project.artifactId}/gen</outputDirectory>
+                                <includeScope>provided</includeScope>
+                                <includes>**/resources/**/*.*</includes>
+                                <overWriteSnapshots>true</overWriteSnapshots>
+                            </configuration>
+                        </execution>
+					</executions>
+				</plugin>
+
+                <plugin>
+                    <groupId>org.metaeffekt.core</groupId>
+                    <artifactId>ae-inventory-maven-plugin</artifactId>
+                    <executions>
+                        <execution>
+                            <id>create-report-ae</id>
+                            <goals>
+                                <goal>create-inventory-report</goal>
+                            </goals>
+                            <phase>process-sources</phase>
+                            <configuration>
+                                <sourceInventoryDir>${project.build.directory}/inventories/inventory</sourceInventoryDir>
+                                <sourceInventoryIncludes>ae-keycloak-contextualized-advisor-inventory.xls</sourceInventoryIncludes>
+                                <inventory>${project.build.directory}/inventories/inventory/ae-keycloak-contextualized-advisor-inventory.xls</inventory>
+                                <targetReportDir>${basedir}/src/main/dita/${project.artifactId}/gen</targetReportDir>
+                            </configuration>
+                        </execution>
+                    </executions>
+
+                    <configuration>
+                        <sourceInventoryDir>${project.build.directory}/inventory-base</sourceInventoryDir>
+                        <sourceInventoryIncludes>**/*.xls</sourceInventoryIncludes>
+
+                        <inventory>${project.inventory}</inventory>
+
+                        <targetReportDir>${basedir}/src/main/dita/${project.artifactId}/gen</targetReportDir>
+
+                        <securityPolicyFile>${project.basedir}/../../security-policy-report.json</securityPolicyFile>
+
+                        <enableVulnerabilityReport>true</enableVulnerabilityReport>
+                        <enableVulnerabilityStatisticsReport>true</enableVulnerabilityStatisticsReport>
+
+                        <failOnError>false</failOnError>
+                        <failOnBanned>false</failOnBanned>
+                        <failOnInternal>false</failOnInternal>
+                        <failOnUnknownVersion>false</failOnUnknownVersion>
+                        <failOnUnknown>false</failOnUnknown>
+                        <failOnUpgrade>false</failOnUpgrade>
+                        <failOnDowngrade>false</failOnDowngrade>
+                        <failOnDevelopment>false</failOnDevelopment>
+                        <failOnMissingLicense>false</failOnMissingLicense>
+                        <failOnMissingLicenseFile>false</failOnMissingLicenseFile>
+                        <failOnMissingNotice>false</failOnMissingNotice>
+                        <failOnMissingSources>false</failOnMissingSources>
+
+                        <generateOverviewTablesForAdvisories>
+                            [ {"name":"CERT_SEI"} ]
+                        </generateOverviewTablesForAdvisories>
+                    </configuration>
+
+                </plugin>
+            </plugins>
+        </pluginManagement>
+
+        <plugins>
+            <plugin>
+                <groupId>org.metaeffekt.core</groupId>
+                <artifactId>ae-inventory-maven-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-resources-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.metaeffekt.dita</groupId>
+                <artifactId>ae-dita-maven-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-antrun-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>buildnumber-maven-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-assembly-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+
+    <dependencies>
+
+        <dependency>
+            <groupId>org.metaeffekt.example.documentation</groupId>
+            <artifactId>ae-keycloak-contextualized-advisor</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+    </dependencies>
+
+</project>

documents/reports/keycloak-contextualized-report/src/main/dita/ae-keycloak-contextualized-report/tmp/glossary/en/g_cpe.dita

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glossentry PUBLIC "-//OASIS//DTD DITA Glossary Entry//EN" "glossentry.dtd">
+<glossentry id="cpe">
+    <glossterm>Common Product Enumeration</glossterm>
+    <glossdef>
+        Common Product Enumeration (CPE) is a scheme used by the <abbreviated-form keyref="nvd"/> to identify
+        vulnerable products (software and hardware). A CPE has a defined structure consisting of several parts:
+        <p>
+            <codeblock>cpe:&lt;cpe_version&gt;:&lt;part&gt;:&lt;vendor&gt;:&lt;product&gt;:&lt;version&gt;:&lt;update&gt;:&lt;edition&gt;:
+    &lt;language&gt;:&lt;sw_edition&gt;:&lt;target_sw&gt;:
+        &lt;target_hw&gt;:&lt;other&gt;</codeblock>
+        </p>
+        <p>
+            With a CPE several vulnerabilities (<abbreviated-form keyref="cve"/>) can be associated.
+        </p>
+    </glossdef>
+    <glossBody>
+        <glossSurfaceForm>Common Product Enumeration (CPE)</glossSurfaceForm>
+        <glossAlt>
+            <glossAcronym>CPE</glossAcronym>
+        </glossAlt>
+    </glossBody>
+</glossentry>

documents/reports/keycloak-contextualized-report/src/main/dita/ae-keycloak-contextualized-report/tmp/glossary/en/g_cve.dita

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glossentry PUBLIC "-//OASIS//DTD DITA Glossary Entry//EN" "glossentry.dtd">
+<glossentry id="cpe">
+    <glossterm>Common Vulnerability Exposure</glossterm>
+    <glossdef>
+        A Common Vulnerability Exposure (CVE) is a public representation of a vulnerability. Each CVE covers
+        a description and machine-readable information for version matching.
+    </glossdef>
+    <glossBody>
+        <glossSurfaceForm>Common Vulnerability Exposure (CVE)</glossSurfaceForm>
+        <glossAlt>
+            <glossAcronym>CVE</glossAcronym>
+        </glossAlt>
+    </glossBody>
+</glossentry>

documents/reports/keycloak-contextualized-report/src/main/dita/ae-keycloak-contextualized-report/tmp/glossary/en/g_cvss.dita

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glossentry PUBLIC "-//OASIS//DTD DITA Glossary Entry//EN" "glossentry.dtd">
+<glossentry id="cvss">
+    <glossterm>Common Vulnerability Scoring System</glossterm>
+    <glossdef>
+        The severity of vulnerabilities is commonly measured applying the Common Vulnerability Scoring System (CVSS)
+        scoring system.
+        The scheme uses several individual metrics to capture different aspects of a vulnerability.
+    </glossdef>
+    <glossBody>
+        <glossSurfaceForm>Common Vulnerability Scoring System (CVSS)</glossSurfaceForm>
+        <glossAlt>
+            <glossAcronym>CVSS</glossAcronym>
+        </glossAlt>
+    </glossBody>
+</glossentry>

documents/reports/keycloak-contextualized-report/src/main/dita/ae-keycloak-contextualized-report/tmp/glossary/en/g_nist.dita

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glossentry PUBLIC "-//OASIS//DTD DITA Glossary Entry//EN" "glossentry.dtd">
+<glossentry id="nvd">
+    <glossterm>National Institute of Standards and Technology</glossterm>
+    <glossdef>
+        The National Institute of Standards and Technology (NIST) is a science laboratory and agency of the United State Department of Commerce.
+        Apart from many other activities the NIST publishes the Cybersecurity Framework guidance on information security and risk management.
+    </glossdef>
+    <glossBody>
+        <glossSurfaceForm>National Institute of Standards and Technology (NIST)</glossSurfaceForm>
+        <glossAlt>
+            <glossAcronym>NIST</glossAcronym>
+        </glossAlt>
+    </glossBody>
+</glossentry>

documents/reports/keycloak-contextualized-report/src/main/dita/ae-keycloak-contextualized-report/tmp/glossary/en/g_nvd.dita

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glossentry PUBLIC "-//OASIS//DTD DITA Glossary Entry//EN" "glossentry.dtd">
+<glossentry id="nvd">
+    <glossterm>National Vulnerability Database</glossterm>
+    <glossdef>
+        The National Vulnerability Database (NVD) is a repository of vulnerability related data.
+        The NVD hosts <abbreviated-form keyref="cpe"/> and <abbreviated-form keyref="cve"/>
+        details for retrieving and matching vulnerability information.
+        <p>The NVD is managed by the <abbreviated-form keyref="nist"/>.</p>
+    </glossdef>
+    <glossBody>
+        <glossSurfaceForm>National Vulnerability Database (NVD)</glossSurfaceForm>
+        <glossAlt>
+            <glossAcronym>NVD</glossAcronym>
+        </glossAlt>
+    </glossBody>
+</glossentry>