Skip to content
This repository has been archived by the owner on Jun 24, 2024. It is now read-only.

IAS-11301 Remediating critical snyk vuln on log4j version #25

Merged
merged 2 commits into from
Nov 10, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion help.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,8 @@ If the scan gating doesn't appear to occur as expected, confirm that the vulnera

# Version History

* 1.2.1 - Update dependencies
* 1.2.2 - Update dependencies
* 1.2.1 - Excluding unnecessary dependencies
* 1.2.0 - Add proxy connection. Add server logs debugging.
* 1.1.2 - Update dependencies
* 1.1.1 - Add new regions to InsightAppSec Region dropdown. Use search endpoint to retrieve scan-configs.
Expand Down
9 changes: 7 additions & 2 deletions manifest.json
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,18 @@
"sourceUrl": "https://github.com/rapid7/insightappsec-bamboo-plugin",
"licenseUrl": "https://github.com/rapid7/insightappsec-bamboo-plugin/blob/master/LICENSE"
},
"version": "1.2.1",
"version": "1.2.2",
"versionHistory": [
{
"version": "1.2.1",
"version": "1.2.2",
"date": "",
"changes": "Update dependencies."
},
{
"version": "1.2.1",
"date": "",
"changes": "Excluding unnecessary dependencies."
},
{
"version": "1.2.0",
"date": "",
Expand Down
16 changes: 11 additions & 5 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.rapid7.ias.bamboo</groupId>
<artifactId>insightappsec-bamboo-plugin</artifactId>
<version>1.2.1</version>
<version>1.2.2</version>

<scm>
<url>https://github.com/rapid7/insightappsec-bamboo-plugin</url>
Expand Down Expand Up @@ -41,6 +41,8 @@
<gson-fire-version>1.8.0</gson-fire-version>
<mockito-core.version>2.8.9</mockito-core.version>
<log4j.version>1.2.17-atlassian-18</log4j.version>
<commons-lang3.version>3.12.0</commons-lang3.version>
<apache-logging.version>2.21.1</apache-logging.version>
</properties>

<dependencies>
Expand Down Expand Up @@ -94,13 +96,17 @@
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-openwire-legacy</artifactId>
</exclusion>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>

<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.12.0</version>
<version>${commons-lang3.version}</version>
</dependency>

<dependency>
Expand Down Expand Up @@ -132,9 +138,9 @@
</dependency>

<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${log4j.version}</version>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${apache-logging.version}</version>
</dependency>

<dependency>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@

public class InsightAppSecHelper {

private String USER_AGENT = "r7:insightappsec-bamboo/1.2.1";
private String USER_AGENT = "r7:insightappsec-bamboo/1.2.2";
private String SCAN_CONFIG_QUERY = "scanconfig.app.id='%1$s' && scanconfig.name='%2$s'";

private UtilityLogger logger;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,12 @@
import com.atlassian.bamboo.plan.artifact.ArtifactDefinitionContextImpl;
import com.atlassian.bamboo.plan.artifact.ArtifactPublishingResult;
import com.atlassian.bamboo.security.SecureToken;
import com.atlassian.bamboo.task.*;
import com.atlassian.bamboo.task.CommonTaskContext;
import com.atlassian.bamboo.task.CommonTaskType;
import com.atlassian.bamboo.task.TaskContext;
import com.atlassian.bamboo.task.TaskException;
import com.atlassian.bamboo.task.TaskResult;
import com.atlassian.bamboo.task.TaskResultBuilder;
import com.atlassian.bamboo.util.Narrow;
import com.atlassian.plugin.spring.scanner.annotation.component.Scanned;
import com.atlassian.plugin.spring.scanner.annotation.imports.ComponentImport;
Expand All @@ -16,9 +21,10 @@
import com.rapid7.ias.client.model.ResourceApp;
import com.rapid7.ias.client.model.ResourceScanConfig;
import com.rapid7.ias.client.model.ResourceVulnerability;
import org.apache.logging.log4j.LogManager;
import org.jetbrains.annotations.NotNull;

import org.apache.log4j.Logger;
import org.apache.logging.log4j.Logger;

import java.io.File;
import java.util.*;
Expand All @@ -27,7 +33,7 @@
@Scanned
public class InsightAppSecScanTask implements CommonTaskType, IasConstants {
private UtilityLogger logger;
private static final Logger log = Logger.getLogger(InsightAppSecScanTask.class);
private static final Logger log = LogManager.getLogger(InsightAppSecScanTask.class);

private String region;
private String appName;
Expand Down Expand Up @@ -234,4 +240,4 @@ private void publishArtifacts(TaskContext taskContext, String name, File directo

taskContext.getBuildContext().getArtifactContext().addPublishingResult(result);
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
import static com.atlassian.bamboo.credentials.UsernamePasswordCredentialType.CFG_PASSWORD;

import com.rapid7.ias.client.ApiClient;
import org.apache.logging.log4j.LogManager;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

Expand All @@ -21,7 +22,7 @@
import com.rapid7.ias.client.model.ResourceScanConfig;

import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.logging.log4j.Logger;

import java.util.Hashtable;
import java.util.Map;
Expand Down Expand Up @@ -98,7 +99,7 @@ public Map<String,String> generateTaskConfigMap(@NotNull ActionParametersMap par
@Override
public void validate(@NotNull ActionParametersMap params,
@NotNull ErrorCollection errorCollection) {
Logger log = Logger.getLogger(InsightAppSecScanTaskConfigurator.class);
Logger log = LogManager.getLogger(InsightAppSecScanTaskConfigurator.class);
UtilityLogger logger = new UtilityLogger(log);

super.validate(params, errorCollection);
Expand Down Expand Up @@ -218,4 +219,4 @@ public void populateContextForEdit(@NotNull final Map<String,Object> context,Tas
context.put(VULN_QUERY, config.get(VULN_QUERY));
context.put(DEBUGGING, config.get(DEBUGGING));
}
}
}
4 changes: 2 additions & 2 deletions src/main/java/com/rapid7/ias/bamboo/util/UtilityLogger.java
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package com.rapid7.ias.bamboo.util;

import com.atlassian.bamboo.build.logger.BuildLogger;
import org.apache.log4j.Logger;
import org.apache.logging.log4j.Logger;

public class UtilityLogger {

Expand Down Expand Up @@ -30,4 +30,4 @@ public void error(String message) {
logger.error(message);
if (this.buildLogger != null) buildLogger.addErrorLogEntry(message);
}
}
}
Loading