Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dataliquid/distribution-verifier-maven-plugin

Distribution Verifier - Maven Plugin
https://github.com/dataliquid/distribution-verifier-maven-plugin

maven-plugin opensource quality quality-assurance

Last synced: 5 months ago
JSON representation

Distribution Verifier - Maven Plugin

Awesome Lists containing this project

README 

          
= Maven Distribution Verifier Plugin



image:https://github.com/dataliquid/distribution-verifier-maven-plugin/actions/workflows/ci.yml/badge.svg[CI Build,link=https://github.com/dataliquid/distribution-verifier-maven-plugin/actions/workflows/ci.yml]

image:https://img.shields.io/maven-central/v/com.dataliquid.maven/distribution-verifier-maven-plugin.svg[Maven Central,link=https://search.maven.org/artifact/com.dataliquid.maven/distribution-verifier-maven-plugin]

image:https://img.shields.io/badge/License-Apache%202.0-blue.svg[License,link=https://opensource.org/licenses/Apache-2.0]



== Introduction



The *Maven Distribution Verifier Plugin* allows verification of `*.jar*`, `*.war*`, `*.ear*` and `*.zip*` files. The content is checked against a defined whitelist. This ensures that only the expected artifacts with the respective fingerprint are included in your application distribution.



If there are any discrepancies in the defined hash values or files that are not defined during the verification process, a report is generated. In this way, the *software artifact* is *additionally hardened* in the *quality assurance* process.



== Features



* Verify distribution files against a whitelist

* Support for JAR, WAR, EAR, and ZIP files

* MD5 checksum validation

* Generate detailed verification reports

* JUnit report format support

* Maven integration



== Requirements



* Java 11 or higher

* Maven 3.6.0 or higher



== Quick Start



Add the plugin to your Maven `pom.xml`:



[source,xml]

----



  

    

      com.dataliquid.maven

      distribution-verifier-maven-plugin

      1.0.3

      

        ${project.build.directory}/${project.build.finalName}.zip

        ${project.basedir}/src/main/resources/whitelist.xml

        ${project.build.directory}/distribution-verifier-report.xml

      

      

        

          

            verify

          

        

      

    

  



----



== Goals



The plugin provides two main goals:



=== verify



Verifies a distribution file against a whitelist.



*Parameters:*



[%header,cols="1,1,1,3"] 

|===

|Parameter

|Type

|Required

|Description



|distributionFile

|File

|Yes

|The distribution file to verify (JAR, WAR, EAR, or ZIP)



|whitelistFile

|File

|Yes

|The whitelist XML file containing expected entries



|reportFile

|File

|No

|Output report file (default: target/distribution-verifier-report.xml)



|reportFormat

|String

|No

|Report format: "xml" or "junit" (default: "xml")



|failOnError

|boolean

|No

|Fail the build if verification errors are found (default: true)

|===



*Usage:*



[source,bash]

----

mvn distribution-verifier:verify

----



=== generate



Generates a whitelist from an existing distribution file.



*Parameters:*



[%header,cols="1,1,1,3"] 

|===

|Parameter

|Type

|Required

|Description



|distributionFile

|File

|Yes

|The distribution file to analyze



|whitelistFile

|File

|Yes

|Output whitelist file location

|===



*Usage:*



[source,bash]

----

mvn distribution-verifier:generate

----



== Whitelist



The whitelist file `whitelist.xml` contains file name, path and the MD5 fingerprint.



[%header,cols=2*] 

|===

|Attribute

|Description



|path

|File path within the Zip file



|md5

|File expects md5 hash. The attribute is optional. If missing, only checks whether the file exists.

|===



[source,xml]

----



  

  	



----



== Report



After verification, all results are summarized in a report. The file `report.xml` contains information on both successful and faulty checks.



Each file is shown with a status and message. 



The status can have the following values:



* `SUCCESS`

* `FAILED`



[source,xml]

----



 

    

 

 

    

 

 

    

 

 

    

 



----



== Tools



Creating an initial whitelist, the commands `find` and `md5sum` can be combined on linux systems. Listing all files with path and MD5 hash in the whitelist structure, use this command:



[source,bash]

----

cd path/to/your/directory

find * -type f -exec md5sum {} \; | awk '{printf "%s", $2, $1, "\n"}'

----



The `` elements are displayed on the console after the processing has been completed.

These can then be transferred to your own whitelist.



[source,xml]

----



----



== Examples



=== Basic Verification



Verify a distribution file with default settings:



[source,xml]

----



  com.dataliquid.maven

  distribution-verifier-maven-plugin

  1.0.3

  

    

      verify

      

        verify

      

      

        ${project.build.directory}/${project.build.finalName}.zip

        src/main/resources/whitelist.xml

      

    

  



----



=== Generate Whitelist from Existing Distribution



[source,bash]

----

mvn distribution-verifier:generate \

  -DdistributionFile=target/myapp.zip \

  -DwhitelistFile=src/main/resources/whitelist.xml

----



=== JUnit Report Format



Generate reports in JUnit format for CI/CD integration:



[source,xml]

----



  ${project.build.directory}/${project.build.finalName}.war

  src/main/resources/whitelist.xml

  ${project.build.directory}/surefire-reports/distribution-verifier.xml

  junit



----



== Contributing



Contributions are welcome! Please feel free to submit a Pull Request.



== License



This project is licensed under the Apache License 2.0 - see the link:LICENSE[LICENSE] file for details.