From 946c6616e82336f341976ba05960220f41953cb0 Mon Sep 17 00:00:00 2001
From: Navaneeth Mysore Govindarajan <nmysore@sonatype.com>
Date: Fri, 9 Feb 2024 14:18:48 -0500
Subject: [PATCH] Simulate vulnerable method loaded

---
 .java-version                                 |  1 +
 pom.xml                                       | 38 +++++++++++++------
 .../petclinic/PostgresIntegrationTests.java   | 12 ++++++
 3 files changed, 39 insertions(+), 12 deletions(-)
 create mode 100644 .java-version

diff --git a/.java-version b/.java-version
new file mode 100644
index 000000000..b4de39476
--- /dev/null
+++ b/.java-version
@@ -0,0 +1 @@
+11
diff --git a/pom.xml b/pom.xml
index 7b65a5f7d..5b139b5ed 100644
--- a/pom.xml
+++ b/pom.xml
@@ -16,7 +16,6 @@
 
   <properties>
     <!-- Demo: Custom properties -->
-    <runtime-agent.version>1.0.7</runtime-agent.version>
     <clm.maven.plugin.version>2.45.0-01</clm.maven.plugin.version>
     <clm.serverUrl>http://ec2-107-23-150-171.compute-1.amazonaws.com:8070/</clm.serverUrl>
     <clm.serverId>ec2-107-23-150-171.compute-1.amazonaws.com</clm.serverId>
@@ -45,14 +44,6 @@
   </properties>
 
   <dependencies>
-    <!-- Demo: Add dependency to runtime-agent -->
-    <dependency>
-      <groupId>com.sonatype.data</groupId>
-      <artifactId>runtime-agent</artifactId>
-      <version>${runtime-agent.version}</version>
-    </dependency>
-
-
     <!-- Spring and Spring Boot dependencies -->
     <dependency>
       <groupId>org.springframework.boot</groupId>
@@ -173,7 +164,7 @@
             </goals>
             <configuration>
               <outputDirectory>${project.build.directory}/lib</outputDirectory>
-              <stripVersion>true</stripVersion>
+              <stripVersion>false</stripVersion>
               <includeScope>compile</includeScope>
             </configuration>
           </execution>
@@ -188,7 +179,7 @@
         <configuration>
           <applicationId>${artifactId}</applicationId>
           <stage>stage-release</stage>
-          <skip>${clm.skip}</skip>
+          <skip>true</skip>
         </configuration>
         <executions>
           <execution>
@@ -205,8 +196,31 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-surefire-plugin</artifactId>
+        <executions>
+          <execution>
+            <goals>
+              <goal>test</goal>
+            </goals>
+          </execution>
+        </executions>
         <configuration>
-          <argLine>-javaagent:${project.build.directory}/lib/runtime-agent.jar -Djdk.attach.allowAttachSelf=true -Dsonatype.runtime.agent.enabled=true -Dsonatype.runtime.agent.debugMode=false -Dsonatype.runtime.agent.iq.protocol=http -Dsonatype.runtime.agent.iq.host=ec2-107-23-150-171.compute-1.amazonaws.com -Dsonatype.runtime.agent.iq.port=8070 -Dsonatype.runtime.agent.iq.user=1hPhFMQ2 -Dsonatype.runtime.agent.iq.password=EBuCs4fMF3M81UNrJEZqKPK6wgn41JjC6AMvXBlzngZ5 -Dsonatype.runtime.agent.iq.applicationId=spring-petclinic-runtime-agent -Dsonatype.runtime.agent.isIqApplicationIdPublic=true -Dsonatype.runtime.agent.blockedRunOnStartup=true -Dsonatype.runtime.agent.scanClasspath=false -Dsonatype.runtime.agent.fetchVulnerableClassesFromIQ=true -Dsonatype.runtime.agent.vulnerableMethodDetectionEnabled=true</argLine>
+          <argLine>
+            -javaagent:../runtime-agent-1.0.7.jar
+            -Djdk.attach.allowAttachSelf=true
+            -Dsonatype.runtime.agent.enabled=true
+            -Dsonatype.runtime.agent.debugMode=false
+            -Dsonatype.runtime.agent.iq.protocol=http
+            -Dsonatype.runtime.agent.iq.host=ec2-107-23-150-171.compute-1.amazonaws.com
+            -Dsonatype.runtime.agent.iq.port=8070
+            -Dsonatype.runtime.agent.iq.user=1hPhFMQ2
+            -Dsonatype.runtime.agent.iq.password=EBuCs4fMF3M81UNrJEZqKPK6wgn41JjC6AMvXBlzngZ5
+            -Dsonatype.runtime.agent.iq.applicationId=spring-petclinic-runtime-agent
+            -Dsonatype.runtime.agent.isIqApplicationIdPublic=true
+            -Dsonatype.runtime.agent.blockedRunOnStartup=true
+            -Dsonatype.runtime.agent.scanClasspath=false
+            -Dsonatype.runtime.agent.fetchVulnerableClassesFromIQ=true
+            -Dsonatype.runtime.agent.vulnerableMethodDetectionEnabled=true
+          </argLine>
         </configuration>
       </plugin>
 
diff --git a/src/test/java/org/springframework/samples/petclinic/PostgresIntegrationTests.java b/src/test/java/org/springframework/samples/petclinic/PostgresIntegrationTests.java
index 18945a570..86cafdf94 100644
--- a/src/test/java/org/springframework/samples/petclinic/PostgresIntegrationTests.java
+++ b/src/test/java/org/springframework/samples/petclinic/PostgresIntegrationTests.java
@@ -23,6 +23,7 @@ import java.util.Arrays;
 import java.util.LinkedList;
 import java.util.List;
 
+import ch.qos.logback.core.net.HardenedObjectInputStream;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.junit.jupiter.api.BeforeAll;
@@ -79,6 +80,17 @@ public class PostgresIntegrationTests {
 
 	@Test
 	void testFindAll() throws Exception {
+		// Demo: Inject dependency intentionally
+		/*
+		Sonatype Runtime Agent - [TIME]: *** Vulnerable CLASS LOADED [className=ch/qos/logback/core/net/HardenedObjectInputStream] by the JVM
+		Sonatype Runtime Agent - [TIME]: Assigning label 'Runtime-Class-Loaded' to component 2f9f280219a9922a7420 in application: a50576c3cd894d20b24dc0d98eea084b
+		Sonatype Runtime Agent - [TIME]: Component evaluation for [ComponentEvaluation{hash='2f9f280219a9922a7420'}] in application a50576c3cd894d20b24dc0d98eea084b successful. Result URL=api/v2/evaluation/applications/a50576c3cd894d20b24dc0d98eea084b/results/74387681c75446a5924812d032c77cad
+		Sonatype Runtime Agent - [TIME]: *** Class with vulnerable METHOD LOADED [className=ch/qos/logback/core/net/HardenedObjectInputStream, methodName=<init>, methodDescriptor=(Ljava/io/InputStream;[Ljava/lang/String;)V] by the JVM
+		Sonatype Runtime Agent - [TIME]: Assigning label 'Runtime-Method-Loaded' to component 2f9f280219a9922a7420 in application: a50576c3cd894d20b24dc0d98eea084b
+		Sonatype Runtime Agent - [TIME]: Component evaluation for [ComponentEvaluation{hash='2f9f280219a9922a7420'}] in application a50576c3cd894d20b24dc0d98eea084b successful. Result URL=api/v2/evaluation/applications/a50576c3cd894d20b24dc0d98eea084b/results/488f999c6730499a8cd454b37d3201b2
+		>> org.springframework.samples.petclinic.PostgresIntegrationTests loaded ch.qos.logback.core.net.HardenedObjectInputStream
+		 */
+		System.out.println(">> " + getClass().getName() + " loaded " + HardenedObjectInputStream.class.getName());
 		vets.findAll();
 		vets.findAll(); // served from cache
 	}