This is a vulnerable version of the spring-petclinic-kotlin application. This application contains security vulnerabilities (hibernate injection, cross-site scripting, use of MD5, etc.) and can be used as an example project to test/compare vulnerability detection tools, such as static and/or dynamic analysis security testing tools (SAST/DAST).
We built the vulnerable version of the spring-petclinic-kotlin similar to the vulnerable spring-petclinic Java project. For this purpose, we added three additional classes (CustomRepositoryFactory, CustomRepositoryFactoryBean, and OwnerRepositoryCustomImpl) to the existing spring-petclinic-kotlin project. We followed the steps below to build the vulnerable spring-petclinic-kotlin benchmark project.
- We first opened the existing spring-petclinic-kotlin project in the IntelliJ IDEA IDE.
- We created an empty Kotlin class named CustomRepositoryFactory.
- We copied the Java source code of the class CustomRepositoryFactory from the vulnerable spring-petclinic Java project.
- We pasted the copied Java source code to the Kotlin class CustomRepositoryFactory in our vulnerable spring-petclinic-kotlin project. Then, the IntelliJ IDEA IDE automatically translates the pasted Java source code to the Kotlin source code.
- We repeated steps 2 to 4 for creating the classes CustomRepositoryFactoryBean, and OwnerRepositoryCustomImpl.
- Finally, we added the annotation @NoRepositoryBean to the existing OwnerRepository class, similar to the vulnerable spring-petclinic Java project.
After the automatic translation from the Java code to the Kotlin code, we found an error in the CustomRepositoryFactory class. In the Java spring-petclinic vulnerable version, there is a method call to the getRepositoryInformation with the second parameter as null value. However, in the Kotlin version, the method getRepositoryInformation requires both parameters to be non-null values. Therefore, the Kotlin compiler gave an error "Null can not be a value of a non-null type". We fixed this issue by passing the appropriate object to the second parameter.
- Language: Kotlin
- Core framework: Spring Boot 2 with Spring Framework 5 Kotlin support
- Server: Apache Tomcat
- Web framework: Spring MVC
- Templates: Thymeleaf and Bootstrap
- Persistence : Spring Data JPA
- Databases: H2 and MySQL both supported
- Build: Gradle Script with the Kotlin DSL
- Testing: Junit 5, Mockito and AssertJ
git clone https://github.com/spring-petclinic/spring-petclinic-kotlin.git
cd spring-petclinic-kotlin
./gradlew bootRun
docker run -p 8080:8080 springcommunity/spring-petclinic-kotlin
You can then access petclinic here: http://localhost:8080/
In its default configuration, Petclinic uses an in-memory database (H2) which gets populated at startup with data.
The h2 console is automatically exposed at http://localhost:8080/h2-console
and it is possible to inspect the content of the database using the jdbc:h2:mem:{uuid} url (the uuid param could be find in the startup logs).
A similar setup is provided for MySql in case a persistent database configuration is needed. Note that whenever the database type is changed, the data-access.properties file needs to be updated and the mysql-connector-java artifact from the pom.xml needs to be uncommented.
You could start a MySql database with docker:
docker run -e MYSQL_USER=petclinic -e MYSQL_PASSWORD=petclinic -e MYSQL_ROOT_PASSWORD=root -e MYSQL_DATABASE=petclinic -p 3306:3306 mysql:5.7.8
Further documentation is provided here.
| Features | Class, files or Java property files |
|---|---|
| The Main Class | PetClinicApplication |
| Properties configuration file | application.properties |
| Gradle build script with Kotlin DSL | build.gradle.kts |
| Caching Configuration | CacheConfig |
- Make sure you have at least IntelliJ IDEA 2017.2 and IDEA Kotlin plugin 1.1.60+ (menu Tools -> Kotlin -> configure Kotlin Plugin Updates -> make sure "Stable" channel is selected -> check for updates now -> restart IDE after the update)
- Import it in IDEA as a Gradle project
- Go to the menu "File -> New -> Project from Existing Sources... "
- Select the spring-petclinic-kotlin directory then choose "Import the project from Gradle"
- Select the "Use gradle wrapper task configuration" radio button
- In IntelliJ IDEA, right click on PetClinicApplication.kt then "Run..." or "Debug..."
- Open http://localhost:8080/ in your browser
- Migrez une application Java Spring Boot vers kotlin (french)
- Migration Spring Web MVC vers Spring WebFlux (french)
This application uses Google Jib to build an optimized Docker image
into the Docker Hub
repository.
The build.gradle.kts has been configured to publish the image with a the springcommunity/spring-petclinic-kotlin image name.
Build and push the container image of Petclinic to the Docker Hub registry:
gradle jib -Djib.to.auth.username=<username> -Djib.to.auth.password=<password>
The Spring Petclinic master branch in the main spring-projects GitHub org is the "canonical" implementation, currently based on Spring Boot and Thymeleaf.
This [spring-petclinic-kotlin][] project is one of the several forks hosted in a special GitHub org: spring-petclinic. If you have a special interest in a different technology stack that could be used to implement the Pet Clinic then please join the community there.
One of the best parts about working on the Spring Petclinic application is that we have the opportunity to work in direct contact with many Open Source projects. We found some bugs/suggested improvements on various topics such as Spring, Spring Data, Bean Validation and even Eclipse! In many cases, they've been fixed/implemented in just a few days. Here is a list of them:
| Name | Issue |
|---|---|
| Spring JDBC: simplify usage of NamedParameterJdbcTemplate | SPR-10256 and SPR-10257 |
| Bean Validation / Hibernate Validator: simplify Maven dependencies and backward compatibility | HV-790 and HV-792 |
| Spring Data: provide more flexibility when working with JPQL queries | DATAJPA-292 |
Contributions with code that injects new vulnerabilities are welcomed. Please create a pull request for that purpuse.