An SQL injection attack consists of insertion or "injection" of a malicious data via the SQL query input from the client to the application. In our example project we have a small Spring Boot based blog application. This application exposes an endpoint to fetch blog articles based on the author:
When we call the endpoint, we will receive:
If a class implements the Closeable interface Groovy adds the withCloseable method to the class.
The withCloseable method has a closure as argument.
The code in the closure is executed and then the implementation of the close method of the Closeable interface is invoked.
The Closeable object is passed as argument to the closure, so we can refer to it inside the closure.
In the following example we have two objects that implement the Closeable interface.
By using withCloseable we know for sure the close method is invoked after all the code in the closure is executed:
When we define a list in Asciidoctor we usually have a list item that is a paragraph.
But if we want to have a block as list item we need to add an extra element to make sure the block is parsed correctly as list item.
Because a list item starts with a . or a * at the beginning of a line and a block also is defined on the beginning of the line, we must add the extra element.
Together with the list item continuation (+) we can have a list with blocks.
In the following example we define a numbered list with three listing blocks:
PlantUML has some features that come from the underlying software to create diagrams.
Graphviz is used by PlantUML and we can use Graphviz features in our PlantUML diagrams.
For example we can align multi-line text of labels to be either center (default), left or right aligned using a Graphviz feature.
When we want to text to be center aligned we simply use the new-line character \n.
If we want to have our text left aligned we use \l instead of \n.
And to right align the text we use \r.
In the following example we have three labels that are center, left and right aligned:
Normally if we type an URL in Asciidoctor that starts with a scheme Asciidoctor knows about, the URL is turned into a hyperlink. The following schemes are recognized by Asciidoctor:
http
https
ftp
irc
mailto
Modern applications development is a mix of custom code and many pieces of open source. The developer is normally very knowledgeable about their custom code but less familiar with the potential risk of the libraries/components they use. A study from Black Duck which covers more than 200 applications shows that 95% of the projects use open source libraries (see open source security analysis). Important side note is we only use a fraction of all the libraries imported into a project. Last couple of months some critical issues were found in Struts 2 which enabled attackers to perform a remote-code-execution through a malicious content-type. One way to track whether you are using vulnerable components is to use the OWASP Dependency-Check. This tool uses the National Vulnerability Database to search components for well known published vulnerabilities.
Let’s take a look at the well known Spring Pet Clinic project and integrate OWASP Dependency-Check, first we add the following plugin to the Maven pom.xml:
The plugin supports all kind of configuration items, in this example our build will fail if the Common Vulnerability Scoring System (CVSS) score if above 8.
CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe. While many utilize only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively.
If we run Dependency-Check the build will fail due to:
If we look at the report we will see the mysql connector has more than 400 CVEs and the build fails due to the CVSS score above 8 (in this case there is even a CVE with CVSS score 10). Based on this score this library should be replaced with a more up-to-date version. Because Dependency-Check offers many ways to integrate into your build pipeline it is easy to get it up-and-running. It is also possible to integrate with Sonar which makes it even more visible to your team.
From time to time you only want to run one test, one test method, one class or one package from the command-line. Or on the contrary: you want to exclude / ignore one specific test or group of tests during the build cycle. Excluding tests from the build cycle by the command line usually occurs when the following scenarios meet:
A test requires significant amount of resources (time, memory, disk space, etc.)
The run needs to be independent from the IDE (to reenact the Continuous Integration / Continuous Delivery pipeline) as some IDEs load test-dependencies on the compile-time class-path.
You have no or limited ability to change the code-base
This year marks the 10th anniversary of the Fronteers conference , held at Pathé Tuschinski in Amsterdam. A single track conference covering various topics of frontend development. The JDriven delegation this year consists of Patrick Ooteman, Auke Speksnijder and Martijn van der Wijst. Topics are: VR, Animations, Developer tools, Caching, a11y, and WebAssembly. The talks didn’t just cover javascript, CSS and HTML. Also relating subjects like writing better language, tackling imposter syndrome and Japanese culture came by. There even was a separate talk focused on emojis :) We’ll try to summarize the nicest takeaways from the past couple of days.
To start off, Niels Leenheer gives a talk about the importance of when to use and also when not to use progressive enhancement. You can imagine that a video tag can be replaced by an image for devices that don’t support the native video tag. But Youtube without videos, yeah, that won’t work at all. After the audience loudly applaudes to an image of ‘goodbye Internet Explorer’, he emphasises that browser wars are a good thing. When every browser would run on Webkit (or nowadays even Chromium), the need to make browsers better would decrease. Also he said:
IE6 was a good browser
Daring statement! But then when you think about it, at the time it could do awesome things. IE6 became a pain in the ass for developers only later, when modern browsers came around and people were still using IE6. Key takeaway of the talk: think about users, not about browsers.
From time to time you only want to run one test, one test method, one class or one package from the command-line. Or on the contrary: you want to exclude / ignore one specific test or group of tests during the build cycle. Excluding tests from the build cycle by the command line usually occurs when the following scenarios meet:
A test requires significant amount of resources (time, memory, disk space, etc.)
The run needs to be independent from the IDE (reenact the Continuous Integration / Continuous Delivery pipeline) as some IDEs load test-dependencies on the compile-time class-path.
You have no or limited ability to change the code-base
With Asciidoctor markup we can position images in our document.
We can even float images, so text can next to an image, inside only below or about the image.
We can also define multiple images to float, so the images are displayed on the same line next to each other.
Any text that follows these images is also displayed next to the images.
If we want only to have floating images, but the text starting under the images we can place the images inside an open block and assign the block the role float-group.
In the next example we first define three images that all have roles to float left.
In the second part we group these images using the role float-group, so the text will not be displayed next to the images, but under the images:
In a previous post we learned how to use data in CSV and DSV format.
Recently we can also include tab separated values (TSV) in a Asciidoctor table.
We must set the table attribute format to the value tsv.
The data can be inside the document, but also defined in an external file which we add with the include macro.
In the following example markup we have a table with inline tab separated values. A second table includes an external file with tab delimited values:
Inspired by Neal Ford’s presentation at our Change is the Only constant event I started experimenting with architectural fitness functions. An architectural fitness function provides an objective integrity assessment of some architectural characteristic(s). If you want to take a deeper dive into evolutionary architectures including fitness functions take look at Neals book: Building Evolutionary Architectures: Support Constant Change. Neal’s slides contained an example of verifying package dependencies from a Unit Test using JDepend.
In this blog post we’ll elaborate on that approach and create a Unit Test that verifies that our code complies to the chosen packaging strategies using an alternative to JDepend named code-assert. We’ll verify two types of packaging strategies; package by layer and package by feature. For a definition of these strategies please have a look at this blog from Simon Brown.
