Ant Tasks

Introduction

To enable Apache Ant to run a Xanitizer security analysis while building an application, the Xanitizer installation contains the following Ant tasks:

Please note that the “create snapshot” task has to be executed after all “create report” tasks to show differences between the current version and the latest snapshot for trend monitoring in the reports. The “export project” task has to be executed after the “create snapshot” task so that the exported archive contains the snapshot, too.

Compatibility

Xanitizer Version
Task≥ 4.3.14.3< 4.3
Run Security AnalysisIcon check greenIcon check greenIcon check green
Create ReportIcon check greenIcon check green
Create SnapshotIcon check greenIcon check green
Export ProjectIcon check greenIcon check green
Update OWASP Dependency Check RepositoryIcon check greenIcon check green
Install License FileIcon check green

Download and Installation

The Xanitizer Ant tasks are part of the Xanitizer installation itself and no further download is necessary.

In order to use the Ant tasks, Xanitizer must be installed on the respective machine.

Run Security Analysis Task

This task runs a Xanitizer security analysis followed by the optional steps “export project”, “create report”, and “create snapshot”. The security analysis can either be run for a specific Xanitizer configuration file or for a root directory with a default configuration.

In order to use the Ant task, Xanitizer must be installed on the respective machine. The Ant build file must contain a element similar to the following:

<taskdef name="runSecurityAnalysisTask" classname="com.rigsit.xanitizer.ant.RunSecurityAnalysisTask">
    <classpath>
        <fileset dir="${install.dir}/plugins"
            includes="com.rigsit.xanitizer.ant*.jar, com.rigsit.xanitizer.headless.util*.jar"/>
    </classpath>
</taskdef>

where the ${install.dir} property must contain the Xanitizer installation directory.

When the task definition is specified, the task can be invoked like this:

<runSecurityAnalysisTask
    installDir="${install.dir}"
    logLevel=""
    licenseServerRetryCount=""
    proxyServer=""
    proxyPort=""
    proxyUser=""
    proxyPassword=""
    configFile=""
    projectDataDirectory=""
    overviewReportOutputfile=""
    findingsListReportOutputfile=""
    onlyProblemsInFindingsListReport=""
    generateDetailsInFindingsListReport=""
    newFindingsRating=""
    findingsRating=""
    haltOnMissingSearchPaths=""
    haltOnNewFindings=""
    haltOnFindings=""
    missingSearchPathsProperty=""
    newFindingsProperty=""
    findingsProperty=""
    createSnapshot=""
    snapshotComment=""
    exportDirectory=""
    exportPassphrase=""
/>

Instead of via argument, the parameter values can of course alternatively be specified via property references.

A description of the parameters can be found here.

Create Report Ant Task

This task generates reports for the results of a previous Xanitizer security analysis.

In order to use the Ant task, Xanitizer must be installed on the respective machine. The Ant build file must contain a element similar to the following:

<taskdef name="createReportTask" classname="com.rigsit.xanitizer.ant.CreateReportTask">
    <classpath>
        <fileset dir="${install.dir}/plugins"
            includes="com.rigsit.xanitizer.ant*.jar, com.rigsit.xanitizer.headless.util*.jar"/>
    </classpath>
</taskdef>

where the ${install.dir} property must contain the Xanitizer installation directory.

When the task definition is specified, the task can be invoked like this:

<runSecurityAnalysisTask
    installDir="${install.dir}"
    logLevel=""
    licenseServerRetryCount=""
    proxyServer=""
    proxyPort=""
    proxyUser=""
    proxyPassword=""
    configFile=""
    projectDataDirectory=""
    overviewReportOutputfile=""
    findingsListReportOutputfile=""
    onlyProblemsInFindingsListReport=""
    generateDetailsInFindingsListReport=""
/>

Instead of via argument, the parameter values can of course alternatively be specified via property references.

A description of the parameters can be found here.

Create Snapshot Ant Task

This tasks creates a new snapshot of a Xanitizer project. Xanitizer can keep analysis results in a so called snapshot, and thus is able to compare results for different versions.

In order to use the Ant task, Xanitizer must be installed on the respective machine. The Ant build file must contain a element similar to the following:

<taskdef name="createSnapshotTask" classname="com.rigsit.xanitizer.ant.CreateSnapshotTask">
    <classpath>
        <fileset dir="${install.dir}/plugins"
            includes="com.rigsit.xanitizer.ant*.jar, com.rigsit.xanitizer.headless.util*.jar"/>
    </classpath>
</taskdef>

where the ${install.dir} property must contain the Xanitizer installation directory.

When the task definition is specified, the task can be invoked like this:

<runSecurityAnalysisTask
    installDir="${install.dir}"
    logLevel=""
    licenseServerRetryCount=""
    proxyServer=""
    proxyPort=""
    proxyUser=""
    proxyPassword=""
    configFile=""
    snapshotComment="${snapshot.comment}"
/>

Instead of via argument, the parameter values can of course alternatively be specified via property references.

A description of the parameters can be found here.

Export Project Ant Task

This task exports the whole Xanitizer project with all snapshots and security analysis results as an optionally password protected single zip archive. This archive can be imported on another machine or by another user.

In order to use the Ant task, Xanitizer must be installed on the respective machine. The Ant build file must contain a element similar to the following:

<taskdef name="exportProjectTask" classname="com.rigsit.xanitizer.ant.ExportProjectTaskhotTask">
    <classpath>
        <fileset dir="${install.dir}/plugins"
            includes="com.rigsit.xanitizer.ant*.jar, com.rigsit.xanitizer.headless.util*.jar"/>
    </classpath>
</taskdef>

where the ${install.dir} property must contain the Xanitizer installation directory.

When the task definition is specified, the task can be invoked like this:

<runSecurityAnalysisTask
    installDir="${install.dir}"
    logLevel=""
    licenseServerRetryCount=""
    proxyServer=""
    proxyPort=""
    proxyUser=""
    proxyPassword=""
    configFile=""
    exportDirectory=""
    exportPassphrase=""
/>

Instead of via argument, the parameter values can of course alternatively be specified via property references.

A description of the parameters can be found here.

Install License File Ant Task

This task installs or updates a license file to run Xanitizer. If the license is a floating license and a proxy server is necessary to access the license server, please specify the proxy server settings for each Ant task. If no settings are specified, the settings from the Xanitizer properties file will be used.

In order to use the Ant task, Xanitizer must be installed on the respective machine. The Ant build file must contain a element similar to the following:

<taskdef name="installLicenseFileTask" classname="com.rigsit.xanitizer.ant.InstallLicenseFileTask">
    <classpath>
        <fileset dir="${install.dir}/plugins"
            includes="com.rigsit.xanitizer.ant*.jar, com.rigsit.xanitizer.headless.util*.jar"/>
    </classpath>
</taskdef>

where the ${install.dir} property must contain the Xanitizer installation directory.

When the task definition is specified, the task can be invoked like this:

<runSecurityAnalysisTask
    installDir="${install.dir}"
    logLevel=""
    licenseServerRetryCount=""
    proxyServer=""
    proxyPort=""
    proxyUser=""
    proxyPassword=""
    licenseFile=""
/>

Instead of via argument, the parameter values can of course alternatively be specified via property references.

A description of the parameters can be found here.

Update OWASP Dependency Check Repository Ant Task

The OWASP Dependency Check is based on vulnerability data stored in a local repository. It is recommended to update the local OWASP Dependency Check repository on a regular basis. To update the repository the task needs needs remote access to the National Vulnerability Database (NIST). If a proxy server is used to access the internet, please specify the proxy server settings. If no settings are specified, the settings from the Xanitizer properties file will be used.

In order to use the Ant task, Xanitizer must be installed on the respective machine. The Ant build file must contain a element similar to the following:

<taskdef name="installLicenseFileTask" classname="com.rigsit.xanitizer.ant.InstallLicenseFileTask">
    <classpath>
        <fileset dir="${install.dir}/plugins"
            includes="com.rigsit.xanitizer.ant*.jar, com.rigsit.xanitizer.headless.util*.jar"/>
    </classpath>
</taskdef>

where the ${install.dir} property must contain the Xanitizer installation directory.

When the task definition is defined, the task can be invoked like this:

<runSecurityAnalysisTask
    installDir="${install.dir}"
    logLevel=""
    licenseServerRetryCount=""
    proxyServer=""
    proxyPort=""
    proxyUser=""
    proxyPassword=""
/>

Instead of via argument, the parameter values can of course alternatively specified via property references.

A description of the parameters can be found here.

Parameters

There are the following parameters for the Xanitizer Ant tasks:

ParameterDefault ValueDescription
installDir<empty>This specifies the Xanitizer installation directory where the Ant task can find the necessary Xanitizer command line application.
configFile<empty>The path to the Xanitizer configuration file of the project that should be analyzed.
Either this parameter or the parameter 'rootDirectory' must be specified, but not both.
rootDirectory<empty>The root directory, to be used for default set-ups.
Either this parameter or the parameter 'configFile' must be specified, but not both.
projectName<empty>The project name that should be used.
Only relevant if the parameter 'rootDirectory' is specified.
If not given, the simple name of the root directory is used.
configFileDirectory<empty>The directory where to put the generated configuration file.
Only relevant if the parameter 'rootDirectory' is specified.
If not given, the configuration file is generated in a subdirectory of the user's .Xanitizer directory.
overwriteConfigFilefalseBoolean flag specifying if an existing config file is to be overwritten.
Only relevant if the parameter 'rootDirectory' is specified.
projectDataDirectory<empty>Xanitizer's project data directory, if it is not the default one in <HOME>/.Xanitizer or the one specified in that default directory.
createSnapshotfalseBoolean flag specifying whether a snapshot should be created parsing and analyzing the current version or not.
snapshotComment<empty>Optional comment added to the newly created snapshot.
Only relevant if the parameter 'createSnapshot' is true.
overviewReportOutputFile<empty>The output location of the overview report.
This has to be either a file or the parameter has to be undefined or empty if no overview report should be written.
Allowed file extensions are: PDF, HTML, DOCX.
findingsListReportOutputFile<empty>The output location of the findings list report.
This has to be either a file or the parameter has to be undefined or empty if no findings list report should be written.
Allowed file extensions are: PDF, HTML, DOCX, XML, CSV.
onlyProblemsInFindingsListReportfalseBoolean flag specifying if only findings with problem classifications are written to the findings list report.
generateDetailsInFindingsListReportfalseBoolean flag specifying if all the details of a finding are written to the findings list report.
Note: Only relevant if the file extension of the parameter 'findingsListReportOutputFile' is XML or HTML.
exportDirectory<empty>The output directory of the project export.
Note: If the parameter is undefined or an empty string, the project is not exported.
exportPassphrase<empty>The pass phrase for the project export.
The parameter is only used if an export directory is set.
If the parameter is not set or empty, the exported project is not encrypted.
haltOnMissingSearchPathsfalseBoolean flag specifying whether the task should fail if there are search paths configured that do not exist anymore.
missingSearchPathsProperty<empty>This specifies an optional property name into which the boolean value can be stored telling if some search path was missing during the analysis.
Note: This parameter is only relevant if the respective 'haltOnMissingSearchPaths' parameter is false, because otherwise, the Ant run would stop when the respective condition is fulfilled during a Xanitizer run.
haltOnNewFindingsfalseBoolean flag specifying whether the task should fail if there are *NEW* findings with a rating equal or higher than the value defined for newFindingsRating.
newFindingsRatingThreshold5A rating value. Only used if haltOnNewFindings is set.
newFindingsProperty<empty>This specifies an optional property name into which the boolean value can be stored telling if some new critical finding was found during the analysis.
Note: This parameter is only relevant if the respective 'haltOnNewFindings' parameter is false, because otherwise, the Ant run would stop when the respective condition is fulfilled during a Xanitizer run.
haltOnFindingsfalseBoolean flag specifying whether the task should fail if there are findings with a rating equal or higher than the value defined for findingsRating.
findingsRatingThreshold5A rating value. Only used if haltOnFindings is set.
findingsProperty<empty>This specifies an optional property name into which the boolean value can be stored telling if some critical finding was found during the analysis.
Note: This parameter is only relevant if the respective 'haltOnFindings' parameter is false, because otherwise, the Ant run would stop when the respective condition is fulfilled during a Xanitizer run.
licenseFile<empty>The path to the Xanitizer license file.
Note: If the license is a floating license and a proxy server is used to access the license server, please specify the proxy server settings.
If no settings are specified, the settings from the Xanitizer properties file will be used.
proxyServer<empty>Optional proxy server to access the internet to update the OWASP Dependency Check repository or to request a license token from the public license server in case of a floating license via a proxy.
Note: If no settings are specified, the settings from the Xanitizer properties file will be used.
proxyPort-1Optional proxy server port to access the National Vulnerability Database (NIST) to update the OWASP Dependency Check repository via a proxy.
proxyUser<empty>Optional proxy server user name to access the National Vulnerability Database (NIST) to update the OWASP Dependency Check repository via a proxy.
proxyPassword<empty>Optional proxy server user password to access the National Vulnerability Database (NIST) to update the OWASP Dependency Check repository via a proxy.
logLevelINFOThe logging level to be used when running Xanitizer.
Values: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL.
licenseServerRetryCount0Number of attempts to get a license token from the license server.
Note: If the used Xanitizer license is a machine bound license, this parameter will be ignored.
If the used Xanitizer license is a floating license it may happen that all tokens are in use or the connection to the license server is not available at startup. In such cases, no license token can be requested successfully from the license server to start Xanitizer and the headless process would terminate with a license error.
Setting this parameter to a value greater than zero, Xanitizer attempts every minute to request a license token until the specified count has been reached.
Setting this parameter to zero disables the repetition.

There are the following parameters for the Xanitizer Ant tasks:

ParameterDefault ValueDescription
installDir<empty>This specifies the Xanitizer installation directory where the Ant task can find the necessary Xanitizer command line application.
configFile<empty>The path to the Xanitizer configuration file of the project that should be analyzed.
Either this parameter or the parameter 'rootDirectory' must be specified, but not both.
rootDirectory<empty>The root directory, to be used for default set-ups.
Either this parameter or the parameter 'configFile' must be specified, but not both.
projectName<empty>The project name that should be used.
Only relevant if the parameter 'rootDirectory' is specified.
If not given, the simple name of the root directory is used.
configFileDirectory<empty>The directory where to put the generated configuration file.
Only relevant if the parameter 'rootDirectory' is specified.
If not given, the configuration file is generated in a subdirectory of the user's .Xanitizer directory.
overwriteConfigFilefalseBoolean flag specifying if an existing config file is to be overwritten.
Only relevant if the parameter 'rootDirectory' is specified.
projectDataDirectory<empty>Xanitizer's project data directory, if it is not the default one in <HOME>/.Xanitizer or the one specified in that default directory.
createSnapshotfalseBoolean flag specifying whether a snapshot should be created parsing and analyzing the current version or not.
snapshotComment<empty>Optional comment added to the newly created snapshot.
Only relevant if the parameter 'createSnapshot' is true.
overviewReportOutputFile<empty>The output location of the overview report.
This has to be either a file or the parameter has to be undefined or empty if no overview report should be written.
Allowed file extensions are: PDF, HTML, DOCX.
findingsListReportOutputFile<empty>The output location of the findings list report.
This has to be either a file or the parameter has to be undefined or empty if no findings list report should be written.
Allowed file extensions are: PDF, HTML, DOCX, XML, CSV.
onlyProblemsInFindingsListReportfalseBoolean flag specifying if only findings with problem classifications are written to the findings list report.
generateDetailsInFindingsListReportfalseBoolean flag specifying if all the details of a finding are written to the findings list report.
Note: Only relevant if the file extension of the parameter 'findingsListReportOutputFile' is XML or HTML.
exportDirectory<empty>The output directory of the project export.
Note: If the parameter is undefined or an empty string, the project is not exported.
exportPassphrase<empty>The pass phrase for the project export.
The parameter is only used if an export directory is set.
If the parameter is not set or empty, the exported project is not encrypted.
haltOnMissingSearchPathsfalseBoolean flag specifying whether the task should fail if there are search paths configured that do not exist anymore.
missingSearchPathsProperty<empty>This specifies an optional property name into which the boolean value can be stored telling if some search path was missing during the analysis.
Note: This parameter is only relevant if the respective 'haltOnMissingSearchPaths' parameter is false, because otherwise, the Ant run would stop when the respective condition is fulfilled during a Xanitizer run.
haltOnNewFindingsfalseBoolean flag specifying whether the task should fail if there are *NEW* findings with a rating equal or higher than the value defined for newFindingsRating.
newFindingsRatingThreshold5A rating value. Only used if haltOnNewFindings is set.
newFindingsProperty<empty>This specifies an optional property name into which the boolean value can be stored telling if some new critical finding was found during the analysis.
Note: This parameter is only relevant if the respective 'haltOnNewFindings' parameter is false, because otherwise, the Ant run would stop when the respective condition is fulfilled during a Xanitizer run.
haltOnFindingsfalseBoolean flag specifying whether the task should fail if there are findings with a rating equal or higher than the value defined for findingsRating.
findingsRatingThreshold5A rating value. Only used if haltOnFindings is set.
findingsProperty<empty>This specifies an optional property name into which the boolean value can be stored telling if some critical finding was found during the analysis.
Note: This parameter is only relevant if the respective 'haltOnFindings' parameter is false, because otherwise, the Ant run would stop when the respective condition is fulfilled during a Xanitizer run.
licenseFile<empty>The path to the Xanitizer license file.
Note: If the license is a floating license and a proxy server is used to access the license server, please specify the proxy server settings.
If no settings are specified, the settings from the Xanitizer properties file will be used.
proxyServer<empty>Optional proxy server to access the internet to update the OWASP Dependency Check repository or to request a license token from the public license server in case of a floating license via a proxy.
Note: If no settings are specified, the settings from the Xanitizer properties file will be used.
proxyPort-1Optional proxy server port to access the National Vulnerability Database (NIST) to update the OWASP Dependency Check repository via a proxy.
proxyUser<empty>Optional proxy server user name to access the National Vulnerability Database (NIST) to update the OWASP Dependency Check repository via a proxy.
proxyPassword<empty>Optional proxy server user password to access the National Vulnerability Database (NIST) to update the OWASP Dependency Check repository via a proxy.
logLevelINFOThe logging level to be used when running Xanitizer.
Values: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL.
licenseServerRetryCount0Number of attempts to get a license token from the license server.
Note: If the used Xanitizer license is a machine bound license, this parameter will be ignored.
If the used Xanitizer license is a floating license it may happen that all tokens are in use or the connection to the license server is not available at startup. In such cases, no license token can be requested successfully from the license server to start Xanitizer and the headless process would terminate with a license error.
Setting this parameter to a value greater than zero, Xanitizer attempts every minute to request a license token until the specified count has been reached.
Setting this parameter to zero disables the repetition.

Examples

The Xanitizer tutorial uses the OWASP WebGoat project, which is part of each Xanitizer installation. WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. The folder “scripts” of the Xanitizer installation contains some examples Ant build xml files which can be use to automatically detect security vulnerabilities inside the WebGoat project.