fossas · meghfossa · Feb 8, 2024 · Feb 8, 2024 · Feb 12, 2024 · Feb 12, 2024
@@ -16,4 +16,7 @@ elixir/mix/hello_world/tmp
 
 # javascript
 *.log
-*node_modules/
+*node_modules/
+
+# reachability
+reachability/maven/vuln-function-used/target
@@ -0,0 +1,9 @@
+## Example maven project with reachable vulnerabilities
+
+- To build project: `mvn package` (you will need java8+, and maven)
+
+```bash
+; mvn package # build project
+; fossa analyze -o --debug # run fossa analysis in output mode only
+; fossa analyze --debug -p example-maven-vuln-function-used -r 1 # run fossa analysis
+```
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.example.app</groupId>
+  <artifactId>example</artifactId>
+  <version>1.1</version>
+
+  <name>example-artifact-name</name>
+  <!-- FIXME change it to the project's website -->
+  <url>http://www.example.com</url>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.source>1.8</maven.compiler.source>
+    <maven.compiler.target>1.8</maven.compiler.target>
+  </properties>
+
+  <licenses>
+    <license>
+      <name>Apache License, Version 2.0</name>
+      <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
+      <distribution>repo</distribution>
+      <comments>A business-friendly OSS license</comments>
+    </license>
+  </licenses>
+
+  <repositories>
+    <repository>
+      <snapshots>
+        <enabled>false</enabled>
+      </snapshots>
+      <id>central</id>
+      <name>Maven Repository Switchboard</name>
+      <url>http://repo1.maven.org/maven2</url>
+    </repository>
+  </repositories>
+
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.11</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency> <!-- has cve -->
+      <groupId>org.dom4j</groupId>
+      <artifactId>dom4j</artifactId>
+      <version>2.1.0</version>
+    </dependency>
+    <dependency> <!-- has cve -->
+        <groupId>com.google.guava</groupId>
+        <artifactId>guava</artifactId>
+        <version>28.1-jre</version>
+    </dependency>
+
+  </dependencies>
+
+  <build>
+    <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
+      <plugins>
+        <!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
+        <plugin>
+          <artifactId>maven-clean-plugin</artifactId>
+          <version>3.1.0</version>
+        </plugin>
+        <!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
+        <plugin>
+          <artifactId>maven-resources-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-compiler-plugin</artifactId>
+          <version>3.8.0</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-surefire-plugin</artifactId>
+          <version>2.22.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-jar-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-install-plugin</artifactId>
+          <version>2.5.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-deploy-plugin</artifactId>
+          <version>2.8.2</version>
+        </plugin>
+        <!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
+        <plugin>
+          <artifactId>maven-site-plugin</artifactId>
+          <version>3.7.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-project-info-reports-plugin</artifactId>
+          <version>3.0.0</version>
+        </plugin>
+      </plugins>
+    </pluginManagement>
+  </build>
+</project>
@@ -0,0 +1,29 @@
+package com.example.app;
+
+import java.util.Map;
+import java.net.URI;
+import java.net.URL;
+import com.example.app.utils.ContextReader;
+
+// org.dom4j (CVE-2020-10683)
+// ---------------------------
+// dom4j before 2.0.3 and 2.1.x before 2.1.3 allows 
+// external DTDs and External Entities by default, which might enable XXE attacks
+import org.dom4j.Document;
+import org.dom4j.DocumentException;
+import org.dom4j.io.SAXReader;
+
+public class App 
+{
+    public static void main(String[] args) throws Exception {
+        URL url = new URI(args[0]).toURL();
+        System.out.println(parse(url));
+        System.out.println(ContextReader.parseWithCtx(url));
+    }
+
+    public static Document parse(URL url) throws DocumentException {
+        SAXReader reader = new SAXReader();
+        Document document = reader.read(url);
+        return document;
+    }
+}
@@ -0,0 +1,23 @@
+package com.example.app.utils;
+
+import java.util.Map;
+import java.net.URI;
+import java.net.URL;
+import org.dom4j.Document;
+import org.dom4j.DocumentException;
+import org.dom4j.jaxb.JAXBReader;
+import com.google.common.io.Files;
+import com.google.common.base.Charsets;
+import java.io.File;
+
+public class ContextReader 
+{
+    public static Document parseWithCtx(URL url) throws DocumentException, java.io.IOException {
+        File addrFile = new File("addr.txt");
+        String addrCtx = Files.toString(addrFile, Charsets.UTF_8);
+
+        JAXBReader reader = new JAXBReader(addrCtx);
+        Document document = reader.read(url);
+        return document;
+    }
+}
@@ -0,0 +1,14 @@
+package com.example.app;
+
+import static org.junit.Assert.assertTrue;
+
+import org.junit.Test;
+
+public class AppTest 
+{
+    @Test
+    public void shouldAnswerWithTrue()
+    {
+        assertTrue( true );
+    }
+}