Tag Archives: eclipse

contrast security plugin for eclipse

Posted on by
1

I recently learned that Contrast Security has a free plugin that tests your application against the OWASP Top 10.  We’ve tried to fix these already. You can read about how we fixed Clickjacking, CSRF and XSS in JForum.

Installing

I started out by installing the Contrast plugin from the Eclipse Marketplace. After restarting Eclipse, a Contrast view automatically opens with instructions. It says to right click your server and choose “Start with Contrast.” Easy enough. I usually use Sysdeo so I can start the server in one click, but this is hardly onerous.

A Diversion: Fixing Tomcat Configuration

I got an error on startup. I then tried to start the server using the server view (without Contrast) and got the same NoSuchMethodError:

java.lang.NoSuchMethodError: sun.security.ec.NamedCurve.<init>(Ljava/lang/String;Ljava/lang/String;Ljava/security/spec/EllipticCurve;Ljava/security/spec/ECPoint;Ljava/math/BigInteger;I)V

I fixed this by switching Tomcat 7 to use Java 7 instead of Java 8. (We aren’t using Java 8 yet for CodeRanch’s JForum software so this is fine.)

  • Workspace preference
  • Server
  • Runtime Environments
  • Click Tomcat and edit
  • Choose Java 7 as JRE

This had nothing to do with Contrast. I hadn’t encountered it because I was using Sysdeo to start Tomcat before this.

Actually testing

Now that the server starts up, I stopped it and restarted with Contrast. Then I clicked around the app a bit. (You can use Selenium tests or any other testing tool to automate this part.) The Contrast view starts to populate with its findings. I clicked around until I had about a dozen findings. They were:

Category Issue # Instances Details My analysis
Orange Insecure hash algorithms in XXX 3 Provides an explanation of what the problem is, why it might/might not be a problem along with the stack trace (showing how it is used) and the HTTP request/headers for the request(s) that triggered it. Two of the three findings refer to the exact same line of code. (Which was run on two different screens). The other appears to be in Tomcat itself. My configuration isn’t the same as the real server here. [The other two I need to look into further]
Yellow Anti-Caching Controls Missing in XXXX 6 Provides the HTTP request/headers, suggested remediation It’s annoying to have this reported on every page. Glad there is an :ignore this rule” option. We run a public website and want things to be cached. Client side caching makes the site faster for users and doesn’t leak information since 90% of our information is public to begin with. The only risk is if a moderator access the private forum on a public computer. We are technical users and know to clear data if this happens.
Yellow Forms without autocomplete prevention 3 Provides the HTTP request/headers, suggested remediation Again, we are a public site so not a big deal for browsers to retain information.
Warning CVE(s) in commons-httpclient-3-1.jar 1 Provides links to the two CVEs along with the manifest of the vulnerable library. I knew this from running Sonatype CLM Insight. The two CVEs are in functionality in the library that we don’t use. Still it is sweet to have this information available for free and with almost no effort. (Insight is a commercial project. We saw a one time result from the report.) I was concerned that information about the jars was being sent over the internet so I asked on Twitter. Jeff Williams replied that the CVE information is in a built in database updated via Eclipse Marketplace. Neat!

What to do with the results

When right clicking on any finding, you have four options:

  • Mark Resolved
  • Delete
  • Ignore (this instance) – useful for a false positive
  • Ignore rule – useful for a rule that doesn’t apply

My thoughts on the Contrast plugin

  • I like that the stack trace is included because it is easy to see context. I also like that lines belonging to the app is in blue in the stack trace.
  • It was very easy to use. And free. Which makes using it a no brainer.
  • While there aren’t false positives from unused code, there are false positives from context (which a tool can’t know).
  • Two of the rules triggered on a number of pages. (and would have triggered on a lot if I tested more)
  • While I don’t have a long list of things to follow up, it was a good thought exercise. And the reason I don’t have a long list is because we manually went through the OWASP top 10 in preparation for the “Iron Clad Java” promo recently. (so as not to have embarrassing issues pointed out)

eclipse luna

Posted on by
1

When I went to eclipse.org, I wasn’t greeted the cool Kepler book from last year. I did see “are you ready for Java 8” front and center. The matrix comparing the packages is still clear. I chose the Java EE version. The download page had a warning that “Eclipse requires Mac OS X 10.5 (Leopard) or greater.” No problem. I’m on the latest version. I’m also on the latest version of Java 8.

Initial launch

When launching my workspace, I got the warning:

Warning: Workspace ‘/myWorkspace’ was written with an older version of the product and will be updated. Updating the workspace can make it incompatible with older versions of the product. Are you sure you want to continue with this workspace.

Which is fine. I’m not going backward. And all the important code is in Subversion or Git anyway. The “Failed to load the JNI shared library” error I got with Kepler is fixed. To be fair, it was fixed in Kepler SR 1, but I never upgraded. It’s nice to be able to launch Eclipse through the icon again though.

Installing the plugins

Like last year, I decided to install the plugins I need for Eclipse Marketplace so I can shed the plugins I tried out and don’t actually want. Cleaning plugin house once a year is nice. The biggest plugin I wanted to shed was the old experimental FIRST robotics plugin. It was never intended for Kepler. I installed it last month to write a presentation.

The significant plugins I use are listed in this table. A number of plugins were beta for Luna or I had to use the Kepler version. I don’t remember that problem in previous years.

Plugin Purpose
Mongrel Tomcat integration supporting Tomcat 7.  (The version of Sysdeo I was using seems to have had that too but at least Mongrel looks more active.) It looks like they used the Sysdeo source code and forked it since Sysdeo isn’t getting updates anymore.Last year, I tried Mongrel and fell back to Sysdeo. This year, Mongrel stuck. I’m happy with it.
Ecl Emma Code coverage
PMD and FindBugs Static analysis. For PMD, I had to use the update site. An install “happened” through Eclipse Marketplace, but I didn’t any of the PMD settings I was expecting. Using the update site gave me what I expected
Subversive To access Subversion repositories
Groovy/Grails Tool Suite (didn’t install) Groovy project/editor and console. At this time only the Kepler version is available which conflicts with other plugins I’ve installed. I’ll use the command line (or fall back to Kepler) for the time being
Eclipse Memory Analyzer For finding memory leaks. Last year this was only available via an update site. Now it is in Eclipse Marketplace.
Freemarker IDE Freemarker syntax highlighting and macro assistance.  Note that it is listed under the JBoss Tool Project. You pick that plugin and then unselect everything except “Freemarker IDE”
Python Python plugin/perspective (had to download one for Eclipse 3.6)
Code Recommenders I think this one is new for Luna. It’s supposed to be better than autocomplete. So far it is a nice toy. I do like that it prompts you when you use autocomplete to make it the default, enable subword matches, etc. Making it easy to see what is going on.

I have faster internet (FIOS) since last year so the downloading was faster. However, finding the right plugins took longer this time. And I still find it odd that Git is included and Subversion is not. Licenses I guess.

What excites me

  1. Java 8 support! This blog post shows the quick fixes and the like that are available. They did a really good job. The integration is very intuitive and “just works”
  2. eGit has come a long way. It even supports cherry picking now. I think I’ll still mostly use command line, but it is nice to have a visual option.
  3. Drag and drop to change order of the list of perspectives in the toolbar.

What frustrates me

  1. Nothing. I’m really happy with Luna

eclipse kepler (4.3) on a mac

Posted on by
8

Getting started

When going to the Eclipse site, I was greeted with a cool book looking page about Kepler.  Who Kepler is, what’s new, the link to download, etc.  kepler-book

Choosing a package

Eclipse has a nice chart comparing the features in each edition.  I’m excited to see git and maven got promoted to the Java EE edition.  In fact the Java EE edition is *almost* a superset of the Java edition now.  The download is 50MB bigger than last time.  And since Verizon wired the basement for FIOS but not any individual apartments yet, this means 30-45 minute download.  Now that I have the file eclipse-jee-kepler-R-macosx-cocoa-x86_64.tar, I can start.

Installing on A Mac was a small adventure

I did the usual of untarring and copying the eclipse folder into Applications.  I got an error: “Eclipse” is damaged and can’t be opened.  You should move it to the Trash.

I found a command here to get Gatekeeper to allow it:  xattr -d com.apple.quarantine /Applications/eclipse/Eclipse.app

Then I got: Failed to load the JNI shared library /Library/java/JavaVirtualMachines/1.7.0.jdk/Contents/Home/bin/../jre/lib/client/libjvm.dylib

I was on Java 7 update 17.  I updated to update 25, but that didn’t help.  I then tried using a launch startup script per the bug report.  Note that I needed to change two bolded lines to point to my install location.

#!/bin/bash
/Library/Java/JavaVirtualMachines/1.7.0.jdk/Contents/Home/jre/bin/java \
-Djava.library.path=<strong>/Applications/eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx.x86_64_1.1.200.v20130521-0416/eclipse_1507.so</strong> \
-Xms512m \
-Xmx2048m \
-Xdock:icon=../Resources/Eclipse.icns \
-XstartOnFirstThread \
-Dorg.eclipse.swt.internal.carbon.smallFonts \
-XX:MaxPermSize=256m \
-jar /Applications/eclipse/plugins/org.eclipse.equinox.launcher_1.3.0.v20130327-1440.jar \
-os macosx \
-ws cocoa \
-arch x86_64 \
-showsplash \
-name Eclipse \
--launcher.appendVmargs \
-debug

It sounds like this will be fixed in Kepler SR  1.  In the meantime I renamed my script to end in .command so I can open it via the applications finder window (nice tip)

First Impressions

Since some of the plugins I was using are now built in and others I don’t use anymore (that I installed over the past year), I decided not to import my plugins from a previous installation and start anew.  It’s easy enough to install from the marketplace.

The significant plugins I use:

Plugin Purpose
Mongrel Tomcat integration supporting Tomcat 7.  (The version of Sysdeo I was using seems to have had that too but at least Mongrel looks more active.) Used the Sysdeo source code and forked it since Sysdeo isn’t getting updates anymore.
Ecl Emma Code coverage
PMD and FindBugs Static analysis
Subversive To access Subversion repositories
Groovy/Grails Tool Suite Groovy project/editor and console
Eclipse Memory Analyzer For finding memory leaks – must use update site rather than marketplace
Freemarker IDE Freemarker syntax highlighting and macro assistance.  Note that it is listed under the JBoss Tool Project.
Papyrus UML editor – under install new software > kepler > papyrus  (I don’t recommend Papyrus at this time.)
Python Python plugin/perspective

What excites me

  1. Mylyn connector improvements (for code review)
  2. Remove type arguments after content assist – this happened just often enjoy to be annoying
  3. IDE support for JUnit Assumptions

What frustrates me

  1. The mess about Mac support for Kepler.  It’s annoying launching from the command line (or even a command).