CVE Scanning and Guided Remediation with OSV Scanner

Fri, 28 Mar 2025 00:00:00 +0100

Figure 1. OSV Scanner

Security is a critical aspect of software development, and staying ahead of vulnerabilities is essential for us application developers. Google’s OSV Scanner is a powerful tool that helps detect vulnerabilities in open-source dependencies.

This article will guide us through setting up and using OSV Scanner to secure our projects, scan for invalid licenses, scan OCI images and finally how to fix findings via guided remediation.

Configuring Spring Boot WebserviceTemplate to sign WSS SOAP Requests

Wed, 30 Mar 2022 00:00:00 +0200

Sometimes when accessing SOAP APIs, our SOAP client needs to sign the request. How this can be achieved using Spring Boot’s WebserviceTemplate within a few steps is the scope of this short article.

This snippet only deals with the client side not with the security configuration on the server side.

Also it assumes, that you have already set up your keystore/truststore and that you’re loading these with your Spring Boot application’s startup without errors.

Whitesource Snippets

Sun, 11 Nov 2018 00:00:00 +0100

Whitesource Configuration for GitLab Pipeline

The following configuration derives values from predefined GitLab Variables

whitesource.conf

# Providing project information from GitLab CI
wss_project_name="$CI_PROJECT_NAME"
wss_project_version="$CI_JOB_ID"
wss_project_tag="$CI_COMMIT_TAG"

# Providing product information
wss_product_name="The Product Name"
wss_product_version="$POM_VERSION"

# Analyze the Maven POM and its transitive dependencies only, no file-system check
# Use this only if you don't have any extra checked in jar-files or stuff like that!
fileSystemScan=false
includes=pom.xml

# Only scanning the Maven project
resolveAllDependencies=false
maven.resolveDependencies=true

AWS Snippets

Thu, 01 Mar 2018 00:00:00 +0100

AWS Command Line Interface

Installation

$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.0.30.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

AWS Documentation

RDS

Export Database Configuration

Export instance configuration

aws rds describe-db-instances --db-instance-identifier arn:aws:rds:eu-central-1:123456789:db:hascode-prd-db --no-paginate

Export parameter group configuration

aws rds describe-db-parameters --db-parameter-group-name PARAM_GROUP_NAME >> param_group_conf.json

Export option group configuration

aws rds describe-option-groups --option-group-name OPT_GROUP_NAME >> option_group_conf.json

Generate Signed URLs with Linux Tools

e.g. for accessing a website behind a CloudFront distribution using a canned policy.

Write the policy file

Identity Management, One-Time-Passwords and Two-Factor-Auth with Spring Boot and Keycloak

Sun, 26 Nov 2017 00:00:00 +0100

Communicating with identity and access management systems is a common task for many web-applications exposing secured resources.

Keycloak is an open source software that provides not also such authorization services but also offers a lot of features from Single-Sign-On, Identity-Brokering, Social-Login, User-Federation, multiple client-adapters up to the administration console or support for protocols like OpenID, SAML, OAuth2, Kerberos and more.

I will demonstrate how to integrate a Spring Boot web application with Keycloak and configure an authentication flow that requires a two-factor-authentication with user credentials and also one-time-passwords.

Detecting Vulnerable Dependencies with Maven and the OWASP Dependency Check Plugin

Tue, 03 Oct 2017 00:00:00 +0200

On the one hand adding dependencies to a project is easy, on the other hand securing a project and checking for vulnerable dependencies is way harder.

The OWASP dependency check plugin for Maven allows us to scan our project’s dependencies for know vulnerabilities.

I will demonstrate its usage in the following short example.

Figure 1. OWASP Vulnerability Report

Dependencies

We just need to add one plugin-dependency to our Mavenized project’s pom.xml.

Setting up an OAuth2 Authorization Server and Resource Provider with Spring Boot

Sun, 13 Mar 2016 00:00:00 +0100

OAuth2 is a frequently used standard for authorization and with Spring Boot it is easy to set up authorization and resource server in no time.

In the following short tutorial I’d like to demonstrate how to set up an OAuth2 authorization server as well as a connected and secured resource server within a few minutes using Java, Maven and Spring Boot.

Figure 1. OAuth2 Flow with Spring Boot in Action

Snippet: Creating secure Password Hashes in Java with Heimdall

Sun, 12 Jul 2015 00:00:00 +0200

These days where a cheap GPU for about 100 € is capable to create 3 billion of MD5 Hashes per second, we need not only need to use salts the right way but we also need to choose a strong, non-reversible and slow hashing schemes when storing passwords in our application.

Heimdall is a library that implements a secure and upgradable password hashing mechanism and uses at the time of writing this article PBKDF2 SHA-1 HMAC with 20000 iterations and a 192 bit (24 byte) salt per default.

Java EE: Setting up and Testing Form-Based JDBC Authentication with Arquillian and Maven

Sun, 21 Dec 2014 00:00:00 +0100

Especially when it comes to testing, setting up a decent environment for a secured Java EE web application isn’t always an easy thing to do.

In the following tutorial I’d like to demonstrate how to create a secured web application using form-based authentication and a JDBC realm to fetch users and roles and how to run the application in an embedded container for testing and development.

Additionally I’d like to show how to write and run integration tests to verify the security setup using a setup of Maven, Embedded GlassFish, Arquillian, jUnit and rest-assured.

Java Snippets

Mon, 01 Mar 2010 00:00:00 +0100

Remote Debug a Pod’s Java Process

Simple steps for remote debugging a Java process running on a k8 pod:

Edit deployment and add the following parameters to the Java start line: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=127.0.0.1:5005

Also add the following port mapping at the section container → ports in the deployment:
```
- containerPort: 5005
  protocol: TCP
```
Safe, wait for the new pods and then add a port forward for port 5005 for this pod:
```
kubectl port-forward podname 5005
```

Spring Boot Snippets