rch.security.vulas.lang-java.3.1.12.source-code.vulas-java.properties Maven / Gradle / Ivy
#
# This file is part of Eclipse Steady.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (c) 2018 SAP SE or an SAP affiliate company. All rights reserved.
#
########## vulas:app/bom
# Number of worker threads performing Java archive (JAR, WAR, AAR) analysis tasks
vulas.core.jarAnalysis.poolSize = 4
# Timeout (in milliseconds) after which remaining analysis tasks will be cancelled
# Default: -1 (no timeout)
#vulas.core.jarAnalysis.timeout = -1
# Package prefix(es) of application code (multiple values to be separated by comma)
# Default:
# CLI: -
# Note: Ignored when running the Maven plugin. In all other cases it avoids the separation of application and dependency JARs into distinct folders
#vulas.core.app.appPrefixes =
# Regex that identifies JARs with application code (multiple values to be separated by comma)
# Default:
# CLI: -
# Note: Ignored when running the Maven plugin. In all other cases it avoids the separation of application and dependency JARs into distinct folders
#vulas.core.app.appJarNames =
########## Instrumentation (static/dynamic), data collection and data upload at test time (vulas:instr, vulas:test)
# Byte code instrumentor(s) to be used (multiple ones to be separated by comma)
#
# Possible values:
# com.sap.psr.vulas.monitor.trace.SingleTraceInstrumentor: Collects exactly one timestamp for every invoked vulnerable method (no call stack)
# com.sap.psr.vulas.monitor.trace.SingleStackTraceInstrumentor: Collects at most "vulas.core.instr.maxStacktraces" call stack for every invoked vulnerable method
# com.sap.psr.vulas.monitor.trace.StackTraceInstrumentor: Collects all call stacks for every invoked vulnerable method
# com.sap.psr.vulas.monitor.touch.TouchPointInstrumentor: Collects so-called touch points, i.e., calls from an app method to a library method
# com.sap.psr.vulas.monitor.slice.SliceInstrumentor: Modifies executable constructs such that, upon execution, a warning will be printed to stderr. The execution can be entirely prevented using a configuration setting
#
# Default: com.sap.psr.vulas.monitor.trace.SingleTraceInstrumentor
#
# Note:
# The above list of possible values is ordered ascending after performance impact and memory consumption,
# i.e., the SingleTraceInstrumentor has the least impact on performance and memory consumption
vulas.core.instr.instrumentorsChoosen = com.sap.psr.vulas.monitor.trace.SingleTraceInstrumentor
# Max. number of stacktraces collected per instrumented vulnerable method
# Default: 10
# Note: Only applies to SingleStackTraceInstrumentor
vulas.core.instr.maxStacktraces = 10
# JARs in the following directories (or its subdirs) will not be instrumented
#vulas.core.instr.blacklist.dirs =
# Constructs of dependencies having one of the following scope(s) will not be instrumented (multiple ones to be separated by comma)
# Default: test, provided
# Note: Only applies to Vulas Maven plugin; in case of Vulas CLI, all dependencies have scope RUNTIME
vulas.core.instr.blacklist.jars.ignoreScopes = test, provided
# Constructs of dependencies whose filename matches one of the following regular expressions will not be instrumented (multiple ones to be separated by comma)
# Default: lang-java-.*\.jar,vulas-core-.*\.jar,surefire-.*\.jar,junit-.*\.jar
vulas.core.instr.blacklist.jars = lang-java-.*\.jar,surefire-.*\.jar,junit-.*\.jar,org.jacoco.agent.*\.jar
# User-provided blacklist: Constructs of dependencies whose filename matches one of the following regular expressions will not be instrumented (multiple ones to be separated by comma)
# Default: -
# Note: Those are on top of "vulas.core.instr.blacklist.jars"
vulas.core.instr.blacklist.jars.custom =
# Java packages from the JRE whose constructs are not instrumented (multiple ones to be separated by comma)
# Default: java.,sun.,com.sun.,org.xml.,org.ietf.,org.jcp.,org.omg.
vulas.core.instr.blacklist.classes.jre = java.,sun.,com.sun.,org.xml.,org.ietf.,org.jcp.,org.omg.
# Other Java packages whose constructs are not instrumented (e.g., from an app container or the JUnit framework) (multiple ones to be separated by comma)
# Default: org.apache.maven.surefire,org.junit,com.sap.psr.vulas,javassist.,org.apache.commons.logging.,org.apache.log4j.,com.fasterxml.jackson.
# Note: "org.apache.juli", "org.apache.tomcat", "org.apache.catalina" or relevant in the context of Tomcat instrumentation
vulas.core.instr.blacklist.classes = org.apache.maven.surefire,org.junit,com.sap.psr.vulas,javassist.,org.apache.commons.logging.,org.apache.log4j.,com.fasterxml.jackson.,org.jacoco.
# User-provided Java packages whose constructs are not instrumented (multiple ones to be separated by comma)
# Default: -
# Note: Those are on top of "vulas.core.instr.blacklist.classes.jre" and "vulas.core.instr.blacklist.classes"
vulas.core.instr.blacklist.classes.custom =
# Classes loaded from any of the following classloaders are not instrumented (comma-separated)
vulas.core.instr.blacklist.classloader = sun.reflect.DelegatingClassLoader,javax.management.remote.rmi.NoCallStackClassLoader,org.powermock.core.classloader.MockClassLoader
# Accept classes loaded by childs of the above classloader
# Default: true
vulas.core.instr.whitelist.classloader.acceptChilds = true
# If true, bytecode and instrumentation code will be written to tmpDir
vulas.core.instr.writeCode = false
# If true, the workspace will be included in the configuration of rewritten WAR files
# This can be useful if the setting cannot be passed as system property when starting the container
# Default: true
vulas.core.instr.static.inclSpace = true
# If true, the backend URL will be included in the configuration of rewritten WAR files
# This can be useful if the setting cannot be passed as system property when starting the container
# Default: true
vulas.core.instr.static.inclBackendUrl = true
# The member fields added to instrumented classes will be annotated with the given annotations
# Default: -
# Example: javax.persistence.Transient (to prevent issues with OR mappers)
# Note: Make sure that the respective classes are present at runtime
vulas.core.instr.fieldAnnotations =
# A whitelist of construct IDs to be instrumented by the SliceInstrumentor
# Default: -
#vulas.core.instr.slice.whitelist
# A blacklist of construct IDs NOT to be instrumented by the SliceInstrumentor
# Default: -
#vulas.core.instr.slice.blacklist
# Determines the default behavior of the guarding condition added by the SliceInstrumentor
# Possible values: true, false
# Default: true
vulas.core.instr.slice.guardOpen = true
# JARs for which no traces and no archive information will be uploaded (e.g., from Vulas itself)
# Multiple entries are separated by comma, each entry is a regex
vulas.core.monitor.blacklist.jars = lang-java-.*\.jar,surefire-.*\.jar,junit-.*\.jar,org.jacoco.agent.*\.jar
# Enables or disables the periodic upload of collected traces to the backend
# Default: true
# Note: Set to FALSE in case of JUnit tests
vulas.core.monitor.periodicUpload.enabled = true
# Interval (in millisecs) between periodic uploads
# Default: 300000 (5 min)
vulas.core.monitor.periodicUpload.interval = 300000
# Max. number of traces uploaded by each periodic upload
# Default: 1000
vulas.core.monitor.periodicUpload.batchSize = 1000
# Max number of items (traces, paths, touch points, etc.) collected
# Default: -1 (no limit)
vulas.core.monitor.maxItems = -1© 2015 - 2024 Weber Informatics LLC | Privacy Policy