Contrast Maven plugin

Maven is a build tool that utilizes pom.xml files to configure your applications. It's used to build, package and test Java applications.

The Contrast Maven plugin works with the Spring Boot plugin and is used to integrate the Contrast JAR with your build. It can authenticate a user to Contrast, download the latest Java agent and verify your build.

For best results, use version 2.0 of the Contrast Maven plugin.

Note

There may be other options for installing the Java agent with Maven. See full list of tools and technologies that work with Contrast.

Configure the plugin

The table below shows all the parameters for the plugin. These settings are for connecting to Contrast and filtering your vulnerabilities. You can find key values under your personal keys or agent keys.

Parameter

Required

Default

Description

Since

username

True

Username in Contrast

serviceKey

True

Service key

apiKey

True

API key

orgUuid

True

Organization UUID

appName

True

Name of the application as seen in Contrast

appId

False

ID of the application as seen in Contrast. Either the appId or appName is required. If both are specified, Contrast uses the appId and ignores the appName.

2.5

standalone

False

False

Set this to "true" if this is a standalone application

2.2

appVersion

False

The appversion to report to Contrast. See more about  appVersion  options.

apiUrl

True

API URL to Contrast

serverName

True

Name of the server you set with -Dcontrast.server

serverPath

False

The server context path

2.1

minSeverity

False

Medium

Minimum severity level to verify; options are Note, Low, Medium, High or Critical

jarPath

False

Path to contrast.jar, if you already have one downloaded

skipArgLine

False

False

If this is "true", the plugin will not alter the Maven argLine property in any way

2.0

Note

Even if your build succeeds, the plugin will fail the overall build if a vulnerability with adequate severity is found.

The following configuration is an example of a profile for the Contrast Maven Plugin. To run with this profile, use mvn install -P run-with-contrast.

<profile>
    <id>run-with-contrast</id>
    <build>
        <plugins>
            <plugin>
                <groupId>com.contrastsecurity</groupId>
                <artifactId>contrast-maven-plugin</artifactId>
                <version>2.0</version>
                <executions>
                    <execution>
                        <id>install-contrast-jar</id>
                        <goals>
                            <goal>install</goal>
                        </goals>
                    </execution>
                    <execution>
                        <id>verify-with-contrast</id>
                        <phase>post-integration-test</phase>
                        <goals>
                            <goal>verify</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <username>test_user</username>
                    <apiKey>testApiKey</apiKey>
                    <serviceKey>testServiceKey</serviceKey>
                    <apiUrl>https://app.contrastsecurity.com/Contrast/api</apiUrl>
                    <orgUuid>QWER-ASDF-ZXCV-ERTY</orgUuid>
                    <appName>MyAppName</appName>
                    <appId>bc3028e6-82ac-410f-b9c7-13573d33cb94</appId>
                    <serverName>MyServerName</serverName>
                    <minSeverity>High</minSeverity>
                </configuration>
            </plugin>
        </plugins>
    </build>
</profile>

Use the plugin

Use the Maven plugin to allow Contrast to discover vulnerabilities in your application during integration or verification tests.

You can view the plugin code in Contrast's GitHub repository. You can also review how our two tasks, install and verify, work.

Task

Description

install

Installs a Contrast Java agent to your local project.

verify

Checks for new vulnerabilities in your web application.

Option details

JVM arguments

The Contrast Maven plugin will configure your JVM arguments to use the Contrast agent by appending to the argLine property from the Maven properties. If you want to prevent this in order to build your own JVM arguments, set skipArgLine to true in the plugin properties.

serverPath

Multi-module Maven builds can appear as different servers in Contrast. If you want to discourage this behavior, and prefer to see all modules appear under the same server in Contrast, set the serverPath property.

You are strongly encouraged to add a serverPath, if this build will be run in a continuous integration (CI) environment such as Travis CI or Circle CI. This will help you keep your servers tidy in Contrast.

appVersion

When your application's integration tests are run, the Contrast agent can add an appVersion property to its metadata. This allows you to compare vulnerabilities between applications versions, CI builds, etc. Contrast generates the appVersion in the following order:

  • If you specify an appVersion in the properties, Contrast will use it without modification.

  • If your build is running in TravisCI, Contrast will use appName-$TRAVIS_BUILD_NUMBER.

  • If your build is running in CircleCI, Contrast will use appName-$CIRCLE_BUILD_NUM.

  • If you don't specify an appVersion, Contrast will generate one in appName-yyyyMMddHHmmss format.

In this section: