This is a simple Maven Plugin integration of the Cognifide's SecureCQ, a tool to find the most popular security problems in your CQ instance.
| Name | Type | Since | Description |
|---|---|---|---|
| authorUrl | String | - | The author CQ instance URL. Default value is: http://localhost:4502. User property is: scq.url.author. |
| dispatcherUrl | String | - | The dispatcher CQ instance URL. User property is: scq.url.dispatcher. |
| enabledTests | String[] | - | The list of tests have to be performed,
config-validation, default-passwords,
dispatcher-access, shindig-proxy,
etc-tools, content-grabbing,
feed-selector, wcm-debug,
webdav, webdav, geometrixx
and redundant-selectors by default. |
| publishUrl | String | - | The publish CQ instance URL. User property is: scq.url.publish. |
-
Run a CQ instance:
java -Djava.net.preferIPv4Stack=true -jar cq5-5.6.0.20130129-author.jar
-
Perform the tests
mvn com.adobe.adobemarketingcloud.github.maven:securecq-maven-plugin:0.0.1:securecq [-Dscq.url.author=http://${host}:${port} -Dscq.url.publish=http://${host}:${port} -Dscq.url.dispatcher=http://${host}:${port}]It will produce an output like the following one:
[INFO] ------------------------------------------------------------------------ [INFO] Building Cognifide's SecureCQ Maven plugin 0.0.1 [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- securecq-maven-plugin:0.0.1-SNAPSHOT:securecq (default-cli) @ securecq-maven-plugin --- [INFO] Performing security check 'config-validation'... [INFO] 'config-validation' result: OK [INFO] 'config-validation' passed tests: [INFO] - URL [http://localhost:4502] for instance author looks OK [INFO] - URL [http://localhost:4502] for instance publish looks OK [INFO] - URL [http://localhost:4502] for instance dispatcher looks OK [INFO] Performing security check 'default-passwords'... [INFO] 'default-passwords' result: FAIL [WARNING] 'default-passwords' detected some failures: [WARNING] - User admin:admin exists on author [WARNING] - User author:author exists on author [WARNING] - User [email protected]:jdoe exists on author [WARNING] - User [email protected]:aparker exists on author [WARNING] - User admin:admin exists on publish [WARNING] - User author:author exists on publish [WARNING] - User [email protected]:jdoe exists on publish [WARNING] - User [email protected]:aparker exists on publish [INFO] 'default-passwords' passed tests: [INFO] - User replication-receiver:replication-receiver doesn't exists on author [INFO] - User replication-receiver:replication-receiver doesn't exists on publish [INFO] Performing security check 'dispatcher-access'... [INFO] 'dispatcher-access' result: OK [INFO] 'dispatcher-access' passed tests: [INFO] - [http://localhost:4502/.json] is restricted [INFO] - [http://localhost:4502/.1.json] is restricted [INFO] - [http://localhost:4502/.2.json] is restricted [INFO] - [http://localhost:4502/apps.json] is restricted [INFO] - [http://localhost:4502/bin.1.json] is restricted [INFO] - [http://localhost:4502/bin/querybuilder.json] is restricted [INFO] - [http://localhost:4502/bin/receive] is restricted [INFO] - [http://localhost:4502/bin/workflow] is restricted [INFO] - [http://localhost:4502/libs.json] is restricted [INFO] - [http://localhost:4502/tmp.json] is restricted [INFO] - [http://localhost:4502/var.json] is restricted [INFO] - [http://localhost:4502/libs/cq/search/content/querydebug.html] is restricted [INFO] - [http://localhost:4502/home/groups/e/everyone.json] is restricted [INFO] Performing security check 'shindig-proxy'... [INFO] 'shindig-proxy' result: OK [INFO] 'shindig-proxy' passed tests: [INFO] - [http://localhost:4502/libs/shindig/proxy] is restricted [INFO] Performing security check 'etc-tools'... [INFO] 'etc-tools' result: FAIL [WARNING] 'etc-tools' detected some failures: [WARNING] - [http://localhost:4502/crx/de/index.jsp] is not restricted [INFO] Performing security check 'content-grabbing'... [INFO] 'content-grabbing' result: FAIL [WARNING] 'content-grabbing' detected some failures: [WARNING] - [http://localhost:4502/.infinity.json] is not restricted [WARNING] - [http://localhost:4502/.tidy.json] is not restricted [WARNING] - [http://localhost:4502/.sysview.xml] is not restricted [WARNING] - [http://localhost:4502/.docview.json] is not restricted [WARNING] - [http://localhost:4502/.docview.xml] is not restricted [WARNING] - [http://localhost:4502/.2.json] is not restricted [WARNING] - [http://localhost:4502/.query.json] is not restricted [INFO] Performing security check 'feed-selector'... [INFO] 'feed-selector' result: FAIL [WARNING] 'feed-selector' detected some failures: [WARNING] - [http://localhost:4502/.feed.xml] is not restricted [WARNING] - [http://localhost:4502/.feed.html] is not restricted [INFO] Performing security check 'wcm-debug'... [INFO] 'wcm-debug' result: OK [INFO] 'wcm-debug' passed tests: [INFO] - WCM debug filter is disabled at [http://localhost:4502/?debug=layout] [INFO] Performing security check 'webdav'... [INFO] 'webdav' result: FAIL [WARNING] 'webdav' detected some failures: [WARNING] - WebDAV is enabled at publish [INFO] Performing security check 'geometrixx'... [INFO] 'geometrixx' result: OK [INFO] 'geometrixx' passed tests: [INFO] - [http://localhost:4502/content/geometrixx/en.html] is restricted [INFO] Performing security check 'redundant-selectors'... [INFO] 'redundant-selectors' result: FAIL [WARNING] 'redundant-selectors' detected some failures: [WARNING] - [http://localhost:4502/.thisIsAdditionalSelector.html] is not restricted [WARNING] - [http://localhost:4502/.this.is.additional.selector.html] is not restricted [WARNING] - [http://localhost:4502/.html/thisIsAdditionalSuffix] is not restricted [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 1.653s [INFO] Finished at: Mon Jun 24 15:47:51 CEST 2013 [INFO] Final Memory: 9M/2031M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal com.adobe.adobemarketingcloud.github.maven:securecq-maven-plugin:0.0.1-SNAPSHOT:securecq (default-cli) on project securecq-maven-plugin: SequreCQ detected secutity vulnerabilities in your instances, see the log for details.