Java Vulnerability Scan

To get the list of vulnerable dependencies along with transitive dependencies SBOM is required to be generated first.

Then on top of SBOM Grype can be executed to find all vulnerabilities. 

1. Install Grype Vulnerability Scanner

Download Grype for your OS from below link:

https://github.com/anchore/grype/releases

2. Generate SBOM (Software Bill of Materials) json/xml file. This contains transitive dependency.

Generate SBOM (Software Bill of Materials) using command line 

mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom 

OR Generate SBOM in build time you can add below in pom.xml

<plugin>

                <groupId>org.cyclonedx</groupId>

                <artifactId>cyclonedx-maven-plugin</artifactId>

                <version>2.8.2</version>

                <configuration>

                    <projectType>library</projectType>

                    <schemaVersion>1.5</schemaVersion>

                    <includeBomSerialNumber>true</includeBomSerialNumber>

                    <includeCompileScope>true</includeCompileScope>

                    <includeProvidedScope>false</includeProvidedScope>

                    <includeRuntimeScope>true</includeRuntimeScope>

                    <includeSystemScope>false</includeSystemScope>

                    <includeTestScope>false</includeTestScope>

                    <includeLicenseText>false</includeLicenseText>

                    <outputReactorProjects>true</outputReactorProjects>

                    <outputFormat>json</outputFormat>

                    <outputName>${project.artifactId}.cdx.sbom</outputName>

                    <outputDirectory>${project.build.directory}</outputDirectory>

                    <verbose>false</verbose>

                </configuration>

            </plugin>

3. Then goto folder where Grype is extracted & run below command (windows version)

 .\grype.exe <app_folder>\target\bom.json

bom.json is generated by using maven command.

This will give you all vulnerabilities in your app with version in which the CVE is fixed

Links:

https://edu.chainguard.dev/chainguard/chainguard-images/staying-secure/working-with-scanners/grype-tutorial/

https://www.chainguard.dev/unchained/why-chainguard-uses-grype-as-its-first-line-of-defense-for-cves

Spring AI Tutorials

https://spring.io/blog/2024/09/26/ai-meets-spring-petclinic-implementing-an-ai-assistant-with-spring-ai-part-i

https://www.sivalabs.in/spring-ai-rag-using-embedding-models-vector-databases/

https://piotrminkowski.com/2025/02/24/using-rag-and-vector-store-with-spring-ai/

https://www.youtube.com/watch?v=FzLABAppJfM&t=3406s

https://www.youtube.com/watch?v=yPu-WV_00Tk&t=871s

How to do Sonar scan for Java Maven Project

 Below are the steps to run Sonar o Maven based Java Project

1. Install SonarQube server

2. Add below pluin dependency in application pom.xml:

   <plugin>

             <groupId>org.sonarsource.scanner.maven</groupId>

             <artifactId>sonar-maven-plugin</artifactId>

             <version>3.7.0.1746</version>

   </plugin>

3. In case you app running on JDK 8 & SonarQube on different JDK, then do the maven clean install in JDK8 & run sonar command in JDK 17

(e.g. export JAVA_HOME=/<Corretto Path>/corretto-17 before running sonar command)

4. Add below plugin in pom.xml to get dependency check report

   <plugin>

                <groupId>org.owasp</groupId>

                <artifactId>dependency-check-maven</artifactId>

                <version>8.4.0</version>

                <executions>

                    <execution>

                        <goals>

                            <goal>check</goal>

                        </goals>

                    </execution>

                </executions>

                <configuration>

                    <formats>

                        <format>XML</format>

                        <format>JSON</format>

                        <format>HTML</format>

                    </formats>

                    <!--<outputDirectory>${project.build.directory}/dependency-check-report</outputDirectory>-->

                </configuration>

    </plugin>

5. Run below command

mvn sonar:sonar  -Dsonar.token=<sonar_token> -Dsonar.scm.disabled=true -Dsonar.projectKey=<project key name> -Dsonar.dependencyCheck.reportPath=target/dependency-check-report.xml -Dsonar.dependencyCheck.jsonReportPath=target/dependency-check-report.json -Dsonar.dependencyCheck.htmlReportPath=target/dependency-check-report.html

N.B. OWASP Dependency Check Plugin can be integrated to Sonar Server from Sonar Marketplace. Sonar Marketplace is visible from Admin section of the SonarQube server installed in your system. 

RabbitVCS Install in Ubuntu

First run below command from terminal

sudo apt-get install python3-configobj python3-gtkspellcheck python3-svn subversion python3-dulwich python3-pygments git meld python3-tk

Install RabbitVCS with Nautilus support:

sudo apt install rabbitvcs-nautilus

Restart Nautilus:

nautilus -q

For Thunar (XFCE):

sudo apt install rabbitvcs-thunar

Then restart Thunar:

thunar -q

For Caja (MATE):

sudo apt install rabbitvcs-caja

Eclipse Collection & Guava

Links for Eclipse Collection 

https://piotrminkowski.com/2021/06/22/using-eclipse-collections/

https://sendilkumarn.com/blog/eclipse-collections

https://donraab.medium.com/getting-started-with-eclipse-collections-part-1-d5ba0098465f

Guava

https://javadevcentral.com/categories/google-guava/

https://www.baeldung.com/guava-maps

Running Jobs with Jobrunr

Scheduling Distributed Jobs with JobRunr in Java

In modern application development, scheduling jobs in a distributed and scalable manner is a critical requirement. JobRunr, a modern framework for job scheduling, provides an elegant and powerful solution for scheduling background jobs in a distributed pattern using Java.

In this blog, we’ll walk through a simple use case to demonstrate how you can schedule a job to run after a specified time using JobRunr.

Setting Up JobRunr

To get started, include the necessary dependencies in your pom.xml file. Below are the Maven dependencies required for JobRunr and its integration with Jackson for serialization.

<dependency>

    <groupId>org.jobrunr</groupId>

    <artifactId>jobrunr</artifactId>

    <version>7.3.1</version>

</dependency>

<dependency>

    <groupId>com.fasterxml.jackson.core</groupId>

    <artifactId>jackson-databind</artifactId>

    <version>2.11.0</version>

</dependency>

<dependency>

    <groupId>com.fasterxml.jackson.core</groupId>

    <artifactId>jackson-core</artifactId>

    <version>2.11.1</version>

</dependency>

Example Use Case: Scheduling a Delayed Job

In this example, we’ll configure JobRunr to schedule a job that executes after a 60-second delay. The job will simply print a message to the console.

Here’s the sample code:

import org.jobrunr.configuration.JobRunr;

import org.jobrunr.scheduling.JobScheduler;

import org.jobrunr.storage.InMemoryStorageProvider;

import java.time.Instant;

public class JobRunrExample {

    public static void main(String[] args) {

        // Configure JobRunr with an in-memory storage provider

        JobScheduler jobScheduler = JobRunr.configure()

                .useStorageProvider(new InMemoryStorageProvider())

                .useBackgroundJobServer()

                .initialize()

                .getJobScheduler();

        // Schedule a job to run after 60 seconds

        jobScheduler.schedule(Instant.now().plusSeconds(60), 

            () -> System.out.println("Hello!"));

    }

}

Explanation

1. Dependency Configuration:
1. The jobrunr dependency provides the core functionality for scheduling jobs.
2. The jackson-databind and jackson-core dependencies handle serialization of job parameters, enabling JobRunr to store and execute jobs across distributed servers.
2. Initialization:
1. The JobRunr.configure() method sets up JobRunr with an in-memory storage provider.
2. In a production environment, you can replace the in-memory storage provider with a persistent provider such as SQL databases for scalability.
3. Scheduling the Job:
1. The schedule() method is used to set the execution time for the job.
2. The job logic, in this case, is a simple System.out.println statement that prints "Hello!" after 60 seconds.

Conclusion

JobRunr simplifies the process of scheduling background tasks in Java applications, making it a great choice for distributed systems. This framework not only supports delayed job execution but also offers features like retry mechanisms, distributed execution, and integration with popular storage solutions.