From 8b5b6aa7a62cf3ea02f5b8d684a88d54e1f8917b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9abh=20Mac=20Rory?= Date: Wed, 8 Nov 2023 15:48:36 +0000 Subject: [PATCH 1/2] IAS-11301 Remediating critical snyk vuln on log4j version --- help.md | 3 ++- manifest.json | 9 +++++++-- pom.xml | 16 +++++++++++----- .../ias/bamboo/impl/InsightAppSecHelper.java | 2 +- .../ias/bamboo/impl/InsightAppSecScanTask.java | 14 ++++++++++---- .../impl/InsightAppSecScanTaskConfigurator.java | 7 ++++--- .../rapid7/ias/bamboo/util/UtilityLogger.java | 4 ++-- 7 files changed, 37 insertions(+), 18 deletions(-) diff --git a/help.md b/help.md index 37e22d2..18464ae 100644 --- a/help.md +++ b/help.md @@ -73,7 +73,8 @@ If the scan gating doesn't appear to occur as expected, confirm that the vulnera # Version History -* 1.2.1 - Update dependencies +* 1.2.2 - Update dependencies +* 1.2.1 - Excusing unnecessary dependencies * 1.2.0 - Add proxy connection. Add server logs debugging. * 1.1.2 - Update dependencies * 1.1.1 - Add new regions to InsightAppSec Region dropdown. Use search endpoint to retrieve scan-configs. diff --git a/manifest.json b/manifest.json index 9b5fc48..bbe7a1c 100644 --- a/manifest.json +++ b/manifest.json @@ -21,13 +21,18 @@ "sourceUrl": "https://github.com/rapid7/insightappsec-bamboo-plugin", "licenseUrl": "https://github.com/rapid7/insightappsec-bamboo-plugin/blob/master/LICENSE" }, - "version": "1.2.1", + "version": "1.2.2", "versionHistory": [ { - "version": "1.2.1", + "version": "1.2.2", "date": "", "changes": "Update dependencies." }, + { + "version": "1.2.1", + "date": "", + "changes": "Excluding unnecessary dependencies." + }, { "version": "1.2.0", "date": "", diff --git a/pom.xml b/pom.xml index 28b7490..b5335fb 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ 4.0.0 com.rapid7.ias.bamboo insightappsec-bamboo-plugin - 1.2.1 + 1.2.2 https://github.com/rapid7/insightappsec-bamboo-plugin @@ -41,6 +41,8 @@ 1.8.0 2.8.9 1.2.17-atlassian-18 + 3.12.0 + 2.21.1 @@ -94,13 +96,17 @@ org.apache.activemq activemq-openwire-legacy + + log4j + log4j + org.apache.commons commons-lang3 - 3.12.0 + ${commons-lang3.version} @@ -132,9 +138,9 @@ - log4j - log4j - ${log4j.version} + org.apache.logging.log4j + log4j-core + ${apache-logging.version} diff --git a/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecHelper.java b/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecHelper.java index bf9349b..eec894d 100644 --- a/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecHelper.java +++ b/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecHelper.java @@ -20,7 +20,7 @@ public class InsightAppSecHelper { - private String USER_AGENT = "r7:insightappsec-bamboo/1.2.1"; + private String USER_AGENT = "r7:insightappsec-bamboo/1.2.2"; private String SCAN_CONFIG_QUERY = "scanconfig.app.id='%1$s' && scanconfig.name='%2$s'"; private UtilityLogger logger; diff --git a/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecScanTask.java b/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecScanTask.java index 16d715a..100ae33 100644 --- a/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecScanTask.java +++ b/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecScanTask.java @@ -5,7 +5,12 @@ import com.atlassian.bamboo.plan.artifact.ArtifactDefinitionContextImpl; import com.atlassian.bamboo.plan.artifact.ArtifactPublishingResult; import com.atlassian.bamboo.security.SecureToken; -import com.atlassian.bamboo.task.*; +import com.atlassian.bamboo.task.CommonTaskContext; +import com.atlassian.bamboo.task.CommonTaskType; +import com.atlassian.bamboo.task.TaskContext; +import com.atlassian.bamboo.task.TaskException; +import com.atlassian.bamboo.task.TaskResult; +import com.atlassian.bamboo.task.TaskResultBuilder; import com.atlassian.bamboo.util.Narrow; import com.atlassian.plugin.spring.scanner.annotation.component.Scanned; import com.atlassian.plugin.spring.scanner.annotation.imports.ComponentImport; @@ -16,9 +21,10 @@ import com.rapid7.ias.client.model.ResourceApp; import com.rapid7.ias.client.model.ResourceScanConfig; import com.rapid7.ias.client.model.ResourceVulnerability; +import org.apache.logging.log4j.LogManager; import org.jetbrains.annotations.NotNull; -import org.apache.log4j.Logger; +import org.apache.logging.log4j.Logger; import java.io.File; import java.util.*; @@ -27,7 +33,7 @@ @Scanned public class InsightAppSecScanTask implements CommonTaskType, IasConstants { private UtilityLogger logger; - private static final Logger log = Logger.getLogger(InsightAppSecScanTask.class); + private static final Logger log = LogManager.getLogger(InsightAppSecScanTask.class); private String region; private String appName; @@ -234,4 +240,4 @@ private void publishArtifacts(TaskContext taskContext, String name, File directo taskContext.getBuildContext().getArtifactContext().addPublishingResult(result); } -} \ No newline at end of file +} diff --git a/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecScanTaskConfigurator.java b/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecScanTaskConfigurator.java index 360688d..bf31bd0 100644 --- a/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecScanTaskConfigurator.java +++ b/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecScanTaskConfigurator.java @@ -13,6 +13,7 @@ import static com.atlassian.bamboo.credentials.UsernamePasswordCredentialType.CFG_PASSWORD; import com.rapid7.ias.client.ApiClient; +import org.apache.logging.log4j.LogManager; import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.Nullable; @@ -21,7 +22,7 @@ import com.rapid7.ias.client.model.ResourceScanConfig; import org.apache.commons.lang.StringUtils; -import org.apache.log4j.Logger; +import org.apache.logging.log4j.Logger; import java.util.Hashtable; import java.util.Map; @@ -98,7 +99,7 @@ public Map generateTaskConfigMap(@NotNull ActionParametersMap par @Override public void validate(@NotNull ActionParametersMap params, @NotNull ErrorCollection errorCollection) { - Logger log = Logger.getLogger(InsightAppSecScanTaskConfigurator.class); + Logger log = LogManager.getLogger(InsightAppSecScanTaskConfigurator.class); UtilityLogger logger = new UtilityLogger(log); super.validate(params, errorCollection); @@ -218,4 +219,4 @@ public void populateContextForEdit(@NotNull final Map context,Tas context.put(VULN_QUERY, config.get(VULN_QUERY)); context.put(DEBUGGING, config.get(DEBUGGING)); } -} \ No newline at end of file +} diff --git a/src/main/java/com/rapid7/ias/bamboo/util/UtilityLogger.java b/src/main/java/com/rapid7/ias/bamboo/util/UtilityLogger.java index 33243db..9a37da9 100644 --- a/src/main/java/com/rapid7/ias/bamboo/util/UtilityLogger.java +++ b/src/main/java/com/rapid7/ias/bamboo/util/UtilityLogger.java @@ -1,7 +1,7 @@ package com.rapid7.ias.bamboo.util; import com.atlassian.bamboo.build.logger.BuildLogger; -import org.apache.log4j.Logger; +import org.apache.logging.log4j.Logger; public class UtilityLogger { @@ -30,4 +30,4 @@ public void error(String message) { logger.error(message); if (this.buildLogger != null) buildLogger.addErrorLogEntry(message); } -} \ No newline at end of file +} From 1e757b7b1a59af3e8b5992a5fd1caf4583818cbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9abh=20Mac=20Rory?= Date: Fri, 10 Nov 2023 15:36:45 +0000 Subject: [PATCH 2/2] IAS-11301 correcting typo --- help.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/help.md b/help.md index 18464ae..921347d 100644 --- a/help.md +++ b/help.md @@ -74,7 +74,7 @@ If the scan gating doesn't appear to occur as expected, confirm that the vulnera # Version History * 1.2.2 - Update dependencies -* 1.2.1 - Excusing unnecessary dependencies +* 1.2.1 - Excluding unnecessary dependencies * 1.2.0 - Add proxy connection. Add server logs debugging. * 1.1.2 - Update dependencies * 1.1.1 - Add new regions to InsightAppSec Region dropdown. Use search endpoint to retrieve scan-configs.