Hello Mark, Just wanted to point you to a redhat project which I recently discovered, as it seems to have potential for this (even if the approach is not the most decentralized one):
The Victims Database maps JAR Signatures to known vulnerabilities, if this is extended with maven coordinates it would be a real helpfull static analysis tool for build time. https://securityblog.redhat.com/2013/01/02/detecting-vulnerable-java-dependencies-at-build-time/ http://victi.ms Greetings Bernd > Am 27.02.2014 um 11:34 schrieb Mark Thomas <[email protected]>: > > Hi, > > For those of you that don't know me, one of my roles at the ASF is as a > member of the Apache Security Team. One of the common problems we face > when processing a security vulnerability report is how to identify the > projects that depend on the vulnerable library. What I wanted to explore > with the Maven dev community is the possibility of doing something along > the following lines: > > 1. Add the ability to publish vulnerability information to a Maven > repository. > > 2. Enhance Maven to check that vulnerability information when building a > project and warn users that that are building using a library with known > vulnerabilities. > > As an aside, it might be nice to be able to publish de-support notices > or similar along the same sort of lines so users building with old, > unsupported libraries are also warned. > > Users would, of course, need an option to silence individual warnings if > they are happy that they do not apply to their product. > > Does something like the above sound possible? Is it already possible and > I have just missed it? > > Cheers, > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
