Hi,

Thanks for the pointer Roland. It seems there is also a Jenkins plugin. It
would be nice if that could be made available.

https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin

Cheers,

Wim


On Tue, Jan 3, 2017 at 6:03 PM, Roland Grunberg <[email protected]> wrote:

> > "*Yes*, we are distributing software with known security issues", is the
> > answer to the subject question.
>
> So much for Betteridge's law :)
>
>
> > To walk through one example, the article named
> org.apache.commons.fileupload
> > version 1.2.1 as being often redistributed, even though known security
> issue
> > (CVE-2014-0050). Versions 1.0 to 3.0 had the flaw, and 1.3.1 is required
> to
> > avoid it. Version 1.3.2 is the most recent Apache version.
> >
> >
> > That 'fileupload' package sounded familiar so I began to look around and
> I
> > found that in the Platform's repository they are re-distributing version
> > 1.2.2 of that package but (luckily?) in the Sim Release repo we have
> version
> > 1.3.1. In the platform, it is Equinox's Http servlet bundle that has an
> > optional prereq on "fileupload" and in Sim Release, it is RAP,
> apparently,
> > that is "pulling in" version 1.3.1.
> >
> > = = = = = =
> > I call out this flaw in our release practices, here on cross-project
> list,
> > for several reasons:
> >
> > 1) I wanted to open a bug on the Platform and Equinox to update that
> prereq
> > (bug 509388 ), but I see that "fileupload" Version 1.3.1 is not available
> > from Orbit. *Why not?* That alone appears to be a Simultaneous Releases
> "no
> > no".
>
> I saw your post a while back and thought of
> https://www.owasp.org/index.php/OWASP_Dependency_Check . It's available
> as a
> maven-plugin so it should be pretty easy to run such a thing in a separate
> HIPP.
> Seems like Orbit could benefit from such a report and maybe even as one of
> the
> sanity checks done on platform ?
>
> In fact, after running it on the Orbit bundles we ship, fileupload was one
> of
> the high severity ones discovered. I see all of this (OWASP) has already
> been
> suggested on 509389 so this seems like the right thing to do.
>
>
> Cheers,
> --
> Roland Grunberg
> _______________________________________________
> cross-project-issues-dev mailing list
> [email protected]
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
>
_______________________________________________
cross-project-issues-dev mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev

Reply via email to