Skip to main content

Java/Kotlin Spring Boot ecosystem analyzer plugin for AttackMap (Spring MVC routing, JAX-RS, Ktor; Spring Data JPA / Mongo / Redis; Spring Security; jjwt; RestTemplate / WebClient / OkHttp).

Project description

attackmap-analyzer-java-spring

Java and Kotlin Spring Boot ecosystem analyzer for AttackMap.

This analyzer extracts structured signals from Maven and Gradle projects:

  • Web frameworks — Spring MVC / Spring Boot (annotation routing with class-level @RequestMapping prefix joining), JAX-RS / Jersey / Quarkus (@Path + @GET/@POST), Ktor (Kotlin DSL), Javalin, Micronaut
  • Databases — Spring Data JPA (@Entity, JpaRepository), Spring Data MongoDB (@Document, MongoRepository), Spring Data Redis (RedisTemplate), JDBC (DriverManager.getConnection with driver-aware kind inference), Hibernate, jOOQ, AWS SDK (S3, DynamoDB)
  • Auth packages — Spring Security (@PreAuthorize, @Secured, SecurityFilterChain, @EnableWebSecurity), jjwt / nimbus-jose-jwt, BCrypt / Argon2 / SCrypt password encoders, OAuth2 (oauth2Login, OAuth2AuthenticationToken)
  • HTTP clients (external calls) — RestTemplate, WebClient, java.net.http.HttpClient, OkHttpClient, @FeignClient, Apache HttpClient
  • SecretsSystem.getenv, @Value("${...}"), Environment.getProperty(...)
  • Service hints<artifactId> from pom.xml, rootProject.name from Gradle settings, spring.application.name from application.properties/application.yml

All emissions populate AttackMap's Signal v2 fields (line numbers, evidence snippets, confidence scores) so downstream insights can cite path/to/file.java:NN.

Install

pip install git+https://github.com/mlaify/attackmap-analyzer-java-spring.git

The analyzer is auto-discovered by AttackMap via the attackmap.analyzers entry-point group.

Usage with AttackMap

# Auto-discovered when installed:
attackmap analyze /path/to/spring/repo

# Or invoke explicitly:
attackmap analyze /path/to/spring/repo --module java-spring

Detection

detect() returns true when any of the following are present, ignoring target/, build/, .gradle/, .mvn/, .idea/, .git/, out/, bin/, and node_modules/:

  • pom.xml, build.gradle, build.gradle.kts, settings.gradle, or settings.gradle.kts at the root
  • .java, .kt, or .kts files anywhere in the tree

Coverage notes

  • Class-level @RequestMapping prefix joining: a class annotated with @RequestMapping("/api/users") causes its method-level @GetMapping("/{id}") to emit as /api/users/{id}. Multiple classes in one file are tracked correctly — the prefix in effect is whichever class declaration most recently preceded the method annotation.
  • @PostMapping with no value (e.g. @PostMapping public Object create()) is not currently extracted — the regex requires a string argument. Workaround: write @PostMapping("") or @PostMapping("/"). Roadmap.
  • JAX-RS class + method @Path joining: the first @Path in a JAX-RS file is treated as the class-level prefix and joined to subsequent method-level @Path annotations. HTTP verb (@GET, @POST, etc.) is captured by looking ahead from the @Path for the next verb annotation within ~800 chars.
  • Kotlin Ktor: routing { get("/x") { ... } } extraction only fires when the file contains an io.ktor import or ktor.server.routing reference, to avoid mis-attributing get(...) calls on Maps and other types.
  • Javalin and Micronaut are similarly framework-gated.
  • OkHttp / java.net.http.HttpClient: literal-URL builder patterns (new Request.Builder().url("https://..."), HttpRequest.newBuilder(URI.create("https://..."))) are picked up. Calls where the URL is built by string concatenation are not.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

attackmap_analyzer_java_spring-0.1.0.tar.gz (16.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

attackmap_analyzer_java_spring-0.1.0-py3-none-any.whl (12.3 kB view details)

Uploaded Python 3

File details

Details for the file attackmap_analyzer_java_spring-0.1.0.tar.gz.

File metadata

File hashes

Hashes for attackmap_analyzer_java_spring-0.1.0.tar.gz
Algorithm Hash digest
SHA256 19c0ce351238f42aeb18c45586f010d3c3b6e6461ff306aafa1bc6f29dbada28
MD5 85093a8f43a789852a84e671f5731bd3
BLAKE2b-256 a7fe5042dcbe8a942a145802f4e33f0f02355968dfdee5a47c6bd9193df002e1

See more details on using hashes here.

Provenance

The following attestation bundles were made for attackmap_analyzer_java_spring-0.1.0.tar.gz:

Publisher: release.yml on mlaify/attackmap-analyzer-java-spring

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file attackmap_analyzer_java_spring-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for attackmap_analyzer_java_spring-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 895e906c833907269907b8e7d598a0b67c95dd4a6ff59f3279f499340b5bb691
MD5 b0faebd0f7514cb299cceaaba1cca54d
BLAKE2b-256 875883a8a345c8b3e5c4b61e4655a287b28a8dc0fbf3bdaecfbc10a50896f060

See more details on using hashes here.

Provenance

The following attestation bundles were made for attackmap_analyzer_java_spring-0.1.0-py3-none-any.whl:

Publisher: release.yml on mlaify/attackmap-analyzer-java-spring

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page