Hi, Thanks for the pointer Roland. It seems there is also a Jenkins plugin. It would be nice if that could be made available.
https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin Cheers, Wim On Tue, Jan 3, 2017 at 6:03 PM, Roland Grunberg <[email protected]> wrote: > > "*Yes*, we are distributing software with known security issues", is the > > answer to the subject question. > > So much for Betteridge's law :) > > > > To walk through one example, the article named > org.apache.commons.fileupload > > version 1.2.1 as being often redistributed, even though known security > issue > > (CVE-2014-0050). Versions 1.0 to 3.0 had the flaw, and 1.3.1 is required > to > > avoid it. Version 1.3.2 is the most recent Apache version. > > > > > > That 'fileupload' package sounded familiar so I began to look around and > I > > found that in the Platform's repository they are re-distributing version > > 1.2.2 of that package but (luckily?) in the Sim Release repo we have > version > > 1.3.1. In the platform, it is Equinox's Http servlet bundle that has an > > optional prereq on "fileupload" and in Sim Release, it is RAP, > apparently, > > that is "pulling in" version 1.3.1. > > > > = = = = = = > > I call out this flaw in our release practices, here on cross-project > list, > > for several reasons: > > > > 1) I wanted to open a bug on the Platform and Equinox to update that > prereq > > (bug 509388 ), but I see that "fileupload" Version 1.3.1 is not available > > from Orbit. *Why not?* That alone appears to be a Simultaneous Releases > "no > > no". > > I saw your post a while back and thought of > https://www.owasp.org/index.php/OWASP_Dependency_Check . It's available > as a > maven-plugin so it should be pretty easy to run such a thing in a separate > HIPP. > Seems like Orbit could benefit from such a report and maybe even as one of > the > sanity checks done on platform ? > > In fact, after running it on the Orbit bundles we ship, fileupload was one > of > the high severity ones discovered. I see all of this (OWASP) has already > been > suggested on 509389 so this seems like the right thing to do. > > > Cheers, > -- > Roland Grunberg > _______________________________________________ > cross-project-issues-dev mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev >
_______________________________________________ cross-project-issues-dev mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
