Ciao Francecsco,
I don't know if OWASP is pointless or not because I don't see the report.
But looking for his username and "owasp" on Google, I saw that he had
open the same issue on several Apache project [1], [2] and [3].
I think (and hope) he is "only" a spammer...
BR,
Massi
[1]
http://mail-archives.apache.org/mod_mbox/mahout-dev/201807.mbox/%3cjira.13175453.1532912821000.114447.1532912880...@atlassian.jira%3E
[2] https://www.mail-archive.com/[email protected]/msg197234.html
[3] https://jira.apache.org/jira/browse/CXF-7809
Il 06/08/2018 11:55, Francesco Chicchiriccò (JIRA) ha scritto:
[
https://issues.apache.org/jira/browse/SYNCOPE-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16569968#comment-16569968
]
Francesco Chicchiriccò commented on SYNCOPE-1349:
-------------------------------------------------
I have added a profile as follows to the root pom.xml:
{code}
<profile>
<id>owasp</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>3.3.0</version>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<modules>
<module>docker</module>
</modules>
</profile>
{code}
and obtained the attached report, which is mostly pointless: for example, it
identifies {{cpe:/a:apache:cxf:2.0.10}} for
{{syncope-core-rest-cxf-2.0.10-SNAPSHOT.jar}}, or
{{cpe:/a:apache:geronimo:4.8}} for {{xbean-asm6-shaded-4.8.jar}} - and many
others like these.
Please add OWASP Dependency Check to the build (pom.xml)
--------------------------------------------------------
Key: SYNCOPE-1349
URL: https://issues.apache.org/jira/browse/SYNCOPE-1349
Project: Syncope
Issue Type: New Feature
Affects Versions: 2.0.10, 2.1.1, 3.0.0
Environment: All development, build, test, environments.
Reporter: Albert Baker
Priority: Major
Labels: build, easy-fix, security
Original Estimate: 1h
Remaining Estimate: 1h
Please add OWASP Dependency Check to the build (pom.xml). OWASP DC makes an
outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to perform
a lookup for each dependant .jar to list any/all known vulnerabilities for each
jar. This step is needed because a manual MITRE CVE lookup/check on the main
component does not include checking for vulnerabilities in components or in
dependant libraries.
OWASP Dependency check : https://www.owasp.org/index.php/OWASP_Dependency_Check
has plug-ins for most Java build/make types (ant, maven, ivy, gradle).
Also, add the appropriate command to the nightly build to generate a report of
all known vulnerabilities in any/all third party libraries/dependencies that
get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false clean
aggregate
Generating this report nightly/weekly will help inform the project's
development team if any dependant libraries have a reported known
vulnerailities. Project teams that keep up with removing vulnerabilities on a
weekly basis will help protect businesses that rely on these open source
componets.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
--
Massimiliano Perrone
Tel +39 393 9121310
Tirasa S.r.l.
http://www.tirasa.net
"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)
