Contrast Maven plugin
The Contrast Maven plugin is used to integrate the Contrast JAR with your build. It's can authenticate a user to Contrast, download the latest Java agent and verify your build.
Note
Maven is a build tool that utilizes pom.xml files to configure your applications. It's used to build, package and test Java applications.
This topic refers to version 2.0 of the Contrast Maven plugin. For information on version 1.X, refer to the documentation in the Contrast Github repository.
Tip
You can also:
Install the Java agent in an existing Maven project
Install the agent on Maven Apache Tomcat
Install the agent with the Maven Cargo plugin
Configure the plugin
The table below shows all the parameters for the plugin. These settings are for connecting to Contrast and filtering your vulnerabilities. You can find key values under your personal keys or agent keys.
Parameter | Required | Default | Description | Since |
---|---|---|---|---|
username | True | Username in Contrast | ||
serviceKey | True | Service key | ||
apiKey | True | API key | ||
orgUuid | True | Organization UUID | ||
appName | True | Name of the application as seen in Contrast | ||
appId | False | ID of the application as seen in Contrast. Either the | 2.5 | |
standalone | False | False | Set this to "true" if this is a standalone application | 2.2 |
appVersion | False | The | ||
apiUrl | True | API URL to Contrast | ||
serverName | True | Name of the server you set with | ||
serverPath | False | The server context path | 2.1 | |
minSeverity | False | Medium | Minimum severity level to verify; options are Note, Low, Medium, High or Critical | |
jarPath | False | Path to contrast.jar, if you already have one downloaded | ||
skipArgLine | False | False | If this is "true", the plugin will not alter the Maven | 2.0 |
Note
Even if your build succeeds, the plugin will fail the overall build if a vulnerability with adequate severity is found.
The following configuration is an example of a profile for the Contrast Maven Plugin. To run with this profile, use mvn install -P run-with-contrast
.
<profile> <id>run-with-contrast</id> <build> <plugins> <plugin> <groupId>com.contrastsecurity</groupId> <artifactId>contrast-maven-plugin</artifactId> <version>2.0</version> <executions> <execution> <id>install-contrast-jar</id> <goals> <goal>install</goal> </goals> </execution> <execution> <id>verify-with-contrast</id> <phase>post-integration-test</phase> <goals> <goal>verify</goal> </goals> </execution> </executions> <configuration> <username>test_user</username> <apiKey>testApiKey</apiKey> <serviceKey>testServiceKey</serviceKey> <apiUrl>https://app.contrastsecurity.com/Contrast/api</apiUrl> <orgUuid>QWER-ASDF-ZXCV-ERTY</orgUuid> <appName>MyAppName</appName> <appId>bc3028e6-82ac-410f-b9c7-13573d33cb94</appId> <serverName>MyServerName</serverName> <minSeverity>High</minSeverity> </configuration> </plugin> </plugins> </build> </profile>
Use the plugin
Use the Maven plugin to allow Contrast to discover vulnerabilities in your application during integration or verification tests.
You can view the plugin code in Contrast's GitHub repository. You can also review how our two tasks, install
and verify
, work.
Task | Description |
---|---|
| Installs a Contrast Java agent to your local project. |
| Checks for new vulnerabilities in your web application. |
Option details
JVM arguments
The Contrast Maven plugin will configure your JVM arguments to use the Contrast agent by appending to the argLine
property from the Maven properties. If you want to prevent this in order to build your own JVM arguments, set skipArgLine
to true
in the plugin properties.
serverPath
Multi-module Maven builds can appear as different servers in Contrast. If you want to discourage this behavior, and prefer to see all modules appear under the same server in Contrast, set the serverPath
property.
You are strongly encouraged to add a serverPath
, if this build will be run in a continuous integration (CI) environment such as Travis CI or Circle CI. This will help you keep your servers tidy in Contrast.
appVersion
When your application's integration tests are run, the Contrast agent can add an appVersion
property to its metadata. This allows you to compare vulnerabilities between applications versions, CI builds, etc. Contrast generates the appVersion
in the following order:
If you specify an
appVersion
in the properties, Contrast will use it without modification.If your build is running in TravisCI, Contrast will use
appName-$TRAVIS_BUILD_NUMBER
.If your build is running in CircleCI, Contrast will use
appName-$CIRCLE_BUILD_NUM
.If you don't specify an
appVersion
, Contrast will generate one inappName-yyyyMMddHHmmss
format.