Skip to content

README.md

Latest commit

 

History

History
136 lines (103 loc) · 3.53 KB

README.md

File metadata and controls

136 lines (103 loc) · 3.53 KB

Maven Capslock Plugin

A Maven plugin that analyzes Java project dependencies for privileged operations and capabilities, similar to Google's CapsLock for Go.

Features

  • Capability Detection: Identifies privileged operations in dependencies

    • File system operations (read/write/delete)
    • Network operations
    • Process execution
    • Reflection and dynamic code loading
    • Native code (JNI)
    • Unsafe memory operations
    • System state modifications

  • Multiple Output Formats:

    • Text: Human-readable colored terminal output
    • JSON: Machine-readable format for tools
    • SARIF: Security tool integration format

  • Maven Integration: Runs automatically during build process

  • Risk Assessment: Categorizes capabilities by risk level (HIGH/MEDIUM/LOW)

Installation

Build and install the plugin locally:

mvn clean install

Usage

Basic Configuration

Add to your project's pom.xml:

<plugin>
    <groupId>com.github.serj</groupId>
    <artifactId>mvn-capslock</artifactId>
    <version>1.0-SNAPSHOT</version>
    <executions>
        <execution>
            <phase>compile</phase>
            <goals>
                <goal>analyze</goal>
            </goals>
        </execution>
    </executions>
</plugin>

Configuration Options

<configuration>
    <!-- Output format: text, json, or sarif (default: text) -->
    <outputFormat>json</outputFormat>

    <!-- Enable verbose output (default: false) -->
    <verbose>true</verbose>

    <!-- Include CAPABILITY_SAFE in output (default: false) -->
    <includeSafe>false</includeSafe>

    <!-- Skip analysis (default: false) -->
    <skip>false</skip>

    <!-- Analyze specific package only -->
    <targetPackage>org.apache.commons:commons-compress</targetPackage>

    <!-- Output file (optional, defaults to console) -->
    <outputFile>${project.build.directory}/capslock-report.json</outputFile>
</configuration>

Command-Line Usage

# Basic analysis
mvn capslock:analyze

# With verbose output
mvn capslock:analyze -Dcapslock.verbose=true

# JSON format to file
mvn capslock:analyze -Dcapslock.format=json -Dcapslock.outputFile=report.json

# Analyze specific package
mvn capslock:analyze -Dcapslock.package=org.apache.commons:commons-compress

# Skip analysis
mvn capslock:analyze -Dcapslock.skip=true

Example Output

Text Format

═══════════════════════════════════════════════════════
         JCapsLock Capability Analysis Report
═══════════════════════════════════════════════════════

Package: org.apache.commons:commons-compress:1.24.0
Capabilities:
  File System:
    • CAPABILITY_FILES - File system operations
      └─ ZipFile.<init> → FileInputStream.<init>
  Reflection:
    • CAPABILITY_REFLECT - Reflection and dynamic code
      └─ ZstdUtils → Class.forName

JSON Format

{
  "tool": "JCapsLock",
  "version": "1.0.0",
  "packages": [{
    "name": "org.apache.commons:commons-compress:1.24.0",
    "capabilities": [{
      "name": "CAPABILITY_FILES",
      "description": "File system operations"
    }]
  }]
}

Capabilities

JCapsLock detects the same capability categories as Google's Capslock. See the Capslock documentation for the full list of capabilities and their meanings.

License

Apache 2.0 License