Maven

You can find out more about our Maven plugin in our blog post.

Apache Maven is a popular build management tool for Java applications. RIPS security analysis can be easily added as a build task in order to fail your build whenever new security vulnerabilities are added.

Requirements

RIPS PluginRIPS APIMavenJAR
1.0.03.x>= 3.5.0Download

Setup

The plugin is not yet published to the official plugin repository and has to be manually installed to the local one:

mvn install:install-file -Dfile=<path-to-jar> -DgroupId=com.ripstech \
    -DartifactId=rips-maven-plugin -Dversion=1.0.0 -Dpackaging=jar

Configuration

You can add and configure the plugin in your pom.xml:

maven config
<build>
    <plugins>
        <plugin>
            <groupId>com.ripstech.maven</groupId>
            <artifactId>rips-maven-plugin</artifactId>
            <version>1.0.0</version>
            <configuration>
                <apiUrl>https://api-3.ripstech.com</apiUrl>
                <uiUrl>https://saas-3.ripstech.com</uiUrl>
                <email>test@company</email>
                <password>yourPassword</password>
                <applicationId>yourApplicationId</applicationId>
                <scanVersion>{isoDateTime}</scanVersion>
                <thresholds>
                    <low>10</low>
                    <medium>5</medium>
                    <high>0</high>
                    <critical>0</critical>
                </thresholds>
                <printIssues>true</printIssues>
            </configuration>
            <executions>
                <execution>
                    <goals>
                        <goal>scan</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>

The following configuration properties are available to configure your RIPS analysis:

PropertyDescriptionRequired

rips.apiUrl

Your RIPS API URL that should be used for scanning.
Our SaaS API is available at https://api-3.ripstech.com. This API also works for trial accounts.
For On-premises, make sure to also add the port of your API, for example: http://192.168.201.1:8080

Yes

rips.uiUrl

Your RIPS UI Url

No

rips.email

Your RIPS API login email

Yes

rips.password

Your RIPS API password

Yes

rips.applicationId

The numerical ID of the RIPS application to use
(note: the application must exist and is not automatically created)

Yes

rips.profileId

The RIPS analysis profile

No

rips.scanVersion

The version name of the scan

No

rips.thresholds

Map of tolerated numbers of issues by severity. Possible severities: critical, high, medium, low. (E.g. critical: 0, high: 0, medium: 5, low: 10)

No

rips.analysisDepth

Overwrite default analysis depth(5)

No

rips.scanTimeout

Overwrite default scan timeout (5) in hours

No

rips.printIssues

Set to false to suppress detailed output of all issues

No


Note: Please do not store your credentials in the pom.xml file else they will be checked into source control. You can use environment variables or the settings.xml file instead.

New Scan

After configuring the plugin you can start a new scan with mvn rips:scan. It will zip your project files to an archive file, upload it to the RIPS instance specified in your configuration, and start a new scan.

Once the scan is completed it will check if your defined thresholds were violated which then results in a build fail.

The plugins' default build phase is 'verify' which means it scans during integration tests. You can change this using the <executions> tag. For example you can set it to 'deploy':

pom.xml
<executions>
    <execution>
        <phase>deploy</phase>
        <goals>
            <goal>scan</goal>
        </goals>
    </execution>
</executions>