Robert Munteanu created SLING-11057:
---------------------------------------
Summary: Security scanning for the Sling Starter during CI checks
Key: SLING-11057
URL: https://issues.apache.org/jira/browse/SLING-11057
Project: Sling
Issue Type: Improvement
Components: Starter
Reporter: Robert Munteanu
Fix For: Starter 12
I think we should consider security scanning the Starter, as a packaged
application, during CI checks. This will help us not ship with vulnerable
dependencies.
I have found two potential candidates:
- the [OSS index Maven
Plugin|https://sonatype.github.io/ossindex-maven/maven-plugin/] which uses the
[Sonatype OSS index|https://ossindex.sonatype.org/] and scans the Maven
dependencies
- [Trivy|https://github.com/aquasecurity/trivy] which uses the Snyk Database
for Java and various other sources .Trivy scans container images (or local
directories ).
We should probably do both, once we start producing Docker images in the
starter project ( SLING-9638 ).
One thing which I'm not certain about is failing the build on such checks. A
working build can be broken because a CVE was published for an existing
component. But the alternative is probably not finding about it. Maybe we can
separate these checks in a separate Jenkins step that comes at the end, so it's
clear that the main build passes but the Starter can't be shipped with
vulnerable dependencies.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
