Java/Kotlin Spring Boot ecosystem analyzer plugin for AttackMap (Spring MVC routing, JAX-RS, Ktor; Spring Data JPA / Mongo / Redis; Spring Security; jjwt; RestTemplate / WebClient / OkHttp).
Project description
attackmap-analyzer-java-spring
Java and Kotlin Spring Boot ecosystem analyzer for AttackMap.
This analyzer extracts structured signals from Maven and Gradle projects:
- Web frameworks — Spring MVC / Spring Boot (annotation routing with class-level
@RequestMappingprefix joining), JAX-RS / Jersey / Quarkus (@Path+@GET/@POST), Ktor (Kotlin DSL), Javalin, Micronaut - Databases — Spring Data JPA (
@Entity,JpaRepository), Spring Data MongoDB (@Document,MongoRepository), Spring Data Redis (RedisTemplate), JDBC (DriverManager.getConnectionwith driver-aware kind inference), Hibernate, jOOQ, AWS SDK (S3, DynamoDB) - Auth packages — Spring Security (
@PreAuthorize,@Secured,SecurityFilterChain,@EnableWebSecurity), jjwt / nimbus-jose-jwt, BCrypt / Argon2 / SCrypt password encoders, OAuth2 (oauth2Login,OAuth2AuthenticationToken) - HTTP clients (external calls) — RestTemplate, WebClient, java.net.http.HttpClient, OkHttpClient,
@FeignClient, Apache HttpClient - Secrets —
System.getenv,@Value("${...}"),Environment.getProperty(...) - Service hints —
<artifactId>frompom.xml,rootProject.namefrom Gradle settings,spring.application.namefromapplication.properties/application.yml
All emissions populate AttackMap's Signal v2 fields (line numbers, evidence snippets, confidence scores) so downstream insights can cite path/to/file.java:NN.
Install
pip install git+https://github.com/mlaify/attackmap-analyzer-java-spring.git
The analyzer is auto-discovered by AttackMap via the attackmap.analyzers entry-point group.
Usage with AttackMap
# Auto-discovered when installed:
attackmap analyze /path/to/spring/repo
# Or invoke explicitly:
attackmap analyze /path/to/spring/repo --module java-spring
Detection
detect() returns true when any of the following are present, ignoring target/, build/, .gradle/, .mvn/, .idea/, .git/, out/, bin/, and node_modules/:
pom.xml,build.gradle,build.gradle.kts,settings.gradle, orsettings.gradle.ktsat the root.java,.kt, or.ktsfiles anywhere in the tree
Coverage notes
- Class-level
@RequestMappingprefix joining: a class annotated with@RequestMapping("/api/users")causes its method-level@GetMapping("/{id}")to emit as/api/users/{id}. Multiple classes in one file are tracked correctly — the prefix in effect is whichever class declaration most recently preceded the method annotation. @PostMappingwith no value (e.g.@PostMapping public Object create()) is not currently extracted — the regex requires a string argument. Workaround: write@PostMapping("")or@PostMapping("/"). Roadmap.- JAX-RS class + method
@Pathjoining: the first@Pathin a JAX-RS file is treated as the class-level prefix and joined to subsequent method-level@Pathannotations. HTTP verb (@GET,@POST, etc.) is captured by looking ahead from the@Pathfor the next verb annotation within ~800 chars. - Kotlin Ktor:
routing { get("/x") { ... } }extraction only fires when the file contains anio.ktorimport orktor.server.routingreference, to avoid mis-attributingget(...)calls on Maps and other types. - Javalin and Micronaut are similarly framework-gated.
- OkHttp / java.net.http.HttpClient: literal-URL builder patterns (
new Request.Builder().url("https://..."),HttpRequest.newBuilder(URI.create("https://..."))) are picked up. Calls where the URL is built by string concatenation are not.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file attackmap_analyzer_java_spring-0.1.0.tar.gz.
File metadata
- Download URL: attackmap_analyzer_java_spring-0.1.0.tar.gz
- Upload date:
- Size: 16.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
19c0ce351238f42aeb18c45586f010d3c3b6e6461ff306aafa1bc6f29dbada28
|
|
| MD5 |
85093a8f43a789852a84e671f5731bd3
|
|
| BLAKE2b-256 |
a7fe5042dcbe8a942a145802f4e33f0f02355968dfdee5a47c6bd9193df002e1
|
Provenance
The following attestation bundles were made for attackmap_analyzer_java_spring-0.1.0.tar.gz:
Publisher:
release.yml on mlaify/attackmap-analyzer-java-spring
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
attackmap_analyzer_java_spring-0.1.0.tar.gz -
Subject digest:
19c0ce351238f42aeb18c45586f010d3c3b6e6461ff306aafa1bc6f29dbada28 - Sigstore transparency entry: 1955266923
- Sigstore integration time:
-
Permalink:
mlaify/attackmap-analyzer-java-spring@d2d916dbe2d2090730940f86082813ae9cb1099b -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/mlaify
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@d2d916dbe2d2090730940f86082813ae9cb1099b -
Trigger Event:
push
-
Statement type:
File details
Details for the file attackmap_analyzer_java_spring-0.1.0-py3-none-any.whl.
File metadata
- Download URL: attackmap_analyzer_java_spring-0.1.0-py3-none-any.whl
- Upload date:
- Size: 12.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
895e906c833907269907b8e7d598a0b67c95dd4a6ff59f3279f499340b5bb691
|
|
| MD5 |
b0faebd0f7514cb299cceaaba1cca54d
|
|
| BLAKE2b-256 |
875883a8a345c8b3e5c4b61e4655a287b28a8dc0fbf3bdaecfbc10a50896f060
|
Provenance
The following attestation bundles were made for attackmap_analyzer_java_spring-0.1.0-py3-none-any.whl:
Publisher:
release.yml on mlaify/attackmap-analyzer-java-spring
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
attackmap_analyzer_java_spring-0.1.0-py3-none-any.whl -
Subject digest:
895e906c833907269907b8e7d598a0b67c95dd4a6ff59f3279f499340b5bb691 - Sigstore transparency entry: 1955267108
- Sigstore integration time:
-
Permalink:
mlaify/attackmap-analyzer-java-spring@d2d916dbe2d2090730940f86082813ae9cb1099b -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/mlaify
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@d2d916dbe2d2090730940f86082813ae9cb1099b -
Trigger Event:
push
-
Statement type: