You can find out more about our Maven plugin in our blog post.
Apache Maven is a popular build management tool for Java applications. RIPS security analysis can be easily added as a build task in order to fail your build whenever new security vulnerabilities are added.
|RIPS Plugin||RIPS API||Maven||JAR|
The plugin is not yet published to the official plugin repository and has to be manually installed to the local one:
You can add and configure the plugin in your pom.xml:
The following configuration properties are available to configure your RIPS analysis:
Your RIPS API URL that should be used for scanning.
Your RIPS UI Url
Your RIPS API login email
Your RIPS API password
The numerical ID of the RIPS application to use
The RIPS analysis profile
The version name of the scan
Map of tolerated numbers of issues by severity. Possible severities: critical, high, medium, low. (E.g. critical: 0, high: 0, medium: 5, low: 10)
Overwrite default analysis depth(5)
Overwrite default scan timeout (5) in hours
Set to false to suppress detailed output of all issues
Note: Please do not store your credentials in the pom.xml file else they will be checked into source control. You can use environment variables or the settings.xml file instead.
After configuring the plugin you can start a new scan with mvn rips:scan. It will zip your project files to an archive file, upload it to the RIPS instance specified in your configuration, and start a new scan.
Once the scan is completed it will check if your defined thresholds were violated which then results in a build fail.
The plugins' default build phase is 'verify' which means it scans during integration tests. You can change this using the
<executions> tag. For example you can set it to 'deploy':