Key Updated

.circleci/config.yml

@@ -0,0 +1,18 @@
+version: 2.1
+
+orbs:
+  prodsec: snyk/prodsec-orb@1.0
+
+workflows:
+  version: 2
+  CICD:
+    jobs:
+      - prodsec/secrets-scan:
+          name: Scan repository for secrets
+          context:
+            - snyk-bot-slack
+          channel: os-team-managed-alerts
+          filters:
+            branches:
+              ignore:
+                - master

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @snyk/os-managed

.github/workflows/main.yml

@@ -0,0 +1,12 @@
+name: Example workflow for Maven using Snyk
+on: push
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: RunSnyk to check for vulnerabilities
+        uses: snyk/actions/maven@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.gitignore

@@ -1 +1,3 @@
-target/**
+target/**
+build/**
+.gradle/**

.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

README.md

@@ -16,14 +16,17 @@ This example is not dangerous, of course, but demonstrates the risk the vulnerab
 This vulnerability is not exploited. It demonstrates potentially vulnerable code, for which data about vulnerable functions
 is not available.
 
-## How to run the demo
+## How to run the demo (Maven)
 1. Checkout this repository (`git checkout git@github.com:snyk/java-reachability-playground.git`)
 2. Install all the dependencies (`mvn install`)
 3. Compile the project (`mvn compile`)
 4. Run the main class (`mvn exec:java -Dexec.mainClass=Unzipper`); the application should throw an exception saying `Malicious file /tmp/evil.txt was created`.
 5. Run snyk command with Reachable Vulnerabilities flag (`snyk test --reachable` or `snyk monitor --reachable`); you should see the vulnerability `SNYK-JAVA-ORGND4J-72550` marked as reachable
 and the function call path to the vulnerability
 
+## For Gradle 
+1. Make sure you build the artifacts with `./gradlew build`
+2. To see test results run `snyk test --file=build.gradle --reachable` or monitor: `snyk monitor --file=build.gradle --reachable`
 ---
 
 *Note: Once the java application is run, `malicious_file.zip` will be deleted by it. To run it again, run `git checkout .` prior

build.gradle

@@ -0,0 +1,32 @@
+/*
+ * This file was generated by the Gradle 'init' task.
+ */
+
+plugins {
+    id 'java'
+    id 'maven-publish'
+}
+
+repositories {
+    mavenLocal()
+    maven {
+        url = uri('http://repo.maven.apache.org/maven2')
+    }
+}
+
+dependencies {
+    implementation 'commons-collections:commons-collections:3.2.1'
+    implementation 'org.nd4j:nd4j-common:1.0.0-beta2'
+}
+
+group = 'org.example'
+version = '1.0-SNAPSHOT'
+sourceCompatibility = '1.8'
+
+publishing {
+    publications {
+        maven(MavenPublication) {
+            from(components.java)
+        }
+    }
+}

catalog-info.yaml

@@ -0,0 +1,8 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: java-reachability-playground
+spec:
+  type: intentionally-vulnerable
+  lifecycle: "-"
+  owner: os-managed

gradle/wrapper/gradle-wrapper.properties

@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.6.1-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists

pom.xml

@@ -15,7 +15,7 @@
         <dependency>
             <groupId>commons-collections</groupId>
             <artifactId>commons-collections</artifactId>
-            <version>3.2.1</version>
+            <version>3.2.2</version>
         </dependency>
         <dependency>
             <groupId>org.nd4j</groupId>