[
https://issues.apache.org/jira/browse/CASSANDRA-14612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17418839#comment-17418839
]
Stefan Miklosovic commented on CASSANDRA-14612:
-----------------------------------------------
I udpated both branches per review comments.
I do have one specific questions though:
1) by default, when the db with CVEs is downloaded in build/, it is not sync
sooner than "cveValidForHours" (1) which is 4 hours by default. So imagine a
developer completes a patch, runs the check, all is fine and after few hours
she runs a build. Now the database on an agent is updated and the build fails.
So she goes back to her branch, she runs ant dependency-check locally but it
does not fail because the database was not updated yet. This rather
hypothetical scenario which occurs only in case a new CVE was created between
she run that check locally and the build in Jenkins. Even then an agent on
Jenkins might not spot this CVE if one build is run quickly after another.
To minimise the probability this might happen, I set cveValidForHours to 1.
2) Before we merge this, we need to go through existing dependencies and figure
out which are false positives and we need to exclude these so we get clean
build and we need to update these which are obsolete or upgradeable. Otherwise
if we merge the related cassandra-builds patch, as of now, we would never get a
build because there are vulnerabilities, even false positive ones. I want to
achieve the situation when Jenkins build / local check would fail on any
vulnerability detected and developer has to figure it out first if he wants to
get a build in Jenkins. IMO this is the right approach, rather harsh one, but
if we do not fail it, people would quickly waive it off and move on to figure
it out "later".
(1)
https://jeremylong.github.io/DependencyCheck/dependency-check-ant/configuration.html
> Please add OWASP Dependency Check to the build (pom.xml)
> --------------------------------------------------------
>
> Key: CASSANDRA-14612
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14612
> Project: Cassandra
> Issue Type: New Feature
> Components: Build
> Environment: All development, build, test, environments.
> Reporter: Albert Baker
> Assignee: Stefan Miklosovic
> Priority: Normal
> Labels: build, easyfix, security
> Fix For: 3.11.x, 4.x
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Please add OWASP Dependency Check to the build (pom.xml). OWASP DC makes an
> outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to
> perform a lookup for each dependant .jar to list any/all known
> vulnerabilities for each jar. This step is needed because a manual MITRE CVE
> lookup/check on the main component does not include checking for
> vulnerabilities in components or in dependant libraries.
> OWASP Dependency check :
> https://www.owasp.org/index.php/OWASP_Dependency_Check has plug-ins for most
> Java build/make types (ant, maven, ivy, gradle).
> Also, add the appropriate command to the nightly build to generate a report
> of all known vulnerabilities in any/all third party libraries/dependencies
> that get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false
> clean aggregate
> Generating this report nightly/weekly will help inform the project's
> development team if any dependant libraries have a reported known
> vulnerailities. Project teams that keep up with removing vulnerabilities on a
> weekly basis will help protect businesses that rely on these open source
> componets.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
