This rule provides the logic to scan a Maven's project's dependencies against a database of artifacts with publicly known Common Vulnerabilities and Exposures (CVE). The canonical version of the database is hosted at and is maintained by Red Hat security teams.
A sample project is provided in sample/
To see the victims-enforcer in action run:
mvn clean package
On environments running JDK 1.7 or greater, you may have to disable jsse.enableSNIExtension for synchronization to work.
mvn clean package -Djsse.enableSNIExtension=false
<rule implementation="com.redhat.victims.VictimsRule">
Check the project's dependencies against the database using
name and version. The default mode for this is 'warning'.
Valid options are:
disabled: Rule is still run but only INFO level messages aand no errors.
warning : Rule will spit out a warning message but doesn't result in a failure.
fatal : Rule will spit out an error message and fail the build.
Check the project's dependencies against the database using
the SHA-512 checksum of the artifact. The default is fatal.
Valid options are:
disabled: Rule is still run but only INFO level messages aand no errors.
warning : Rule will spit out a warning message but doesn't result in a failure.
fatal : Rule will spit out an error message and fail the build.
Disables the synchronization mechansim. By default the rule will
attempt to update the database for each build.
Valid options are:
auto : Automatically update the database entries on each build.
daily : Update the database entries once per day.
weekly: Update the database entries once per week.
offline : Disable the synchronization mechanism.
The following options can be specified as child elements of <rule implementation="com.redhat.victims.VictimsRule">
The URL of the victims web service to used to synchronize the local database.
default: ""
The entrypoint of the victims webservice to synchronize against
default: "/service"
The severity of exception to be thrown when a dependency is encountered that matches the known vulnerable database based on metadata. Fatal indicates the build should fail, warning indicates a warning should be issued but the build should proceed.
allowed : warning, fatal, disabled
default : warning
The severity of exception to be thrown when a dependency is encountered that matches the known vulnerable database based on a fingerprint. Fatal indicates the build should fail, warning indicates a warning should be issued but the build should proceed.
allowed : warning, fatal, disabled
default : fatal
Allows the configuration of the synchronization mechanism. In automatic mode new entries in the victims database are pulled from the victims-web instance during each build. In daily mode new entries are pulled from the victims-web instance only once per day. The synchronization mechanism may be disabled and processed manually for closed build environments.
allowed : auto, daily, offline
default : auto
The jdbc driver to use for the local victims database. By default victims uses an embedded H2 database.
default : org.h2.Driver
The jdbc connection URL to for the local victims database.
default : .victims (embedded h2 instance).
The username to use for the jdbc connection.
default : ""
The password to use for the jdbc connection.
default : ""