The Victims project is a Red Hat initiative that aims to detect known vulnerable dependencies in Java projects and deployments. Our initial focus was Java projects that were built using Maven. The victims-enforcer plug-in for Maven provides developers with immediate feedback if any of their project dependencies contain known vulnerabilities. However, until recently we did not have a good solution for scanning deployments or tools that work outside of a typical build and release cycle. The alpha release of the victims client for Java hopes to fill this gap. The victims client for Java is a simple command line tool that presently has the ability to scan jar files, directories, and pom.xml files for known vulnerabilities. It also allows you to synchronize with the victims project infrastructure and control local settings.
Getting started with the victims client for Java is relatively simple.
- Download the alpha release of the victims tool.
- Build it using the 'mvn clean package' command. You need to have a Java SDK >= 1.5 and Maven installed on your machine.
- Run it: by default, the victims client for Java will compile into a standalone .jar file. This means that you can launch it from the build directory by running '$ java -jar target/victims-client-1.0-SNAPSHOT-standalone.jar'
To simplify the examples we can create an alias:
cp target/victims-client*-standlone.jar ~/.victims
alias victims='java -jar $HOME/.victims/victims-client-1.0-SNAPSHOT-standalone.jar'
The goal of this release has been to present a small subset of capabilities to users with the aim of figuring out what additional features people require. The rest of this article will focus on the various use cases for the client tool.
The first and most important step when using the client is to synchronize with the victims Embedded Vulnerability Detection (EVD) service. This will download all the vulnerability definitions from the remote service, which can take a while. To do this you need to specify the '--update' flag when running the client. Specifying '--update' on subsequent runs of the tool will check to make sure that no additional updates are available.
# Getting updates
$ victims --update
Updating EVD definitions:
# Checking last update time
$ victims --db-status
Database last updated on: Mon Dec 16 14:37:48 EST 2013
With the database up to date, it is now possible to scan jar files. If the victims client for Java test ran during the build, then you should have some example files that you can run the scans against in the '.testdata' directory.
To run a scan against a single jar file, simply provide the file name:
$ victims .testdata/org/springframework/spring/2.5.6/spring-2.5.6.jar
.testdata/org/springframework/spring/2.5.6/spring-2.5.6.jar VULNERABLE! CVE-2009-1190 CVE-2011-2730 CVE-2010-1622
You can also recursively scan a directory for known vulnerable artifacts:
# Warning - this will take a while..
$ victims --recursive ~/.m2
/home/gm/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar VULNERABLE! CVE-2012-5783
/home/gm/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar VULNERABLE! CVE-2009-2625
If you use Maven to build your projects, you can also run the victims client for Java across your entire source directory. Any pom.xml files that are detected will have all dependency Group, Artifact, and Version (GAV) information cross checked against the victims database entries.
That covers the main use cases of the tool. We are looking for alpha testers to help improve the capabilities and iron out any bugs. If you do take the time to test this project out, please give us feedback via raising issues on Github, contacting us on #victi.ms on freenode, or via the development mailing list.