2015-06-23 22:52 GMT+02:00 Ben Caradoc-Davies <[email protected]>: > GeoTools / GeoServer Meeting 2015-06-23
> > Preventing vulnerability with build checks > ------------------------------------------ > > Jenkins plugin may allow us to run automated vunerability check: > > * https://www.blackducksoftware.com/vulnerability-plugin > > Can we make a build profile for this similar to database tests... You may also want to look into the OWASP Dependency-Check [1] [2] tools which has plugins for Maven, Jenkins and other tools/plugins. I've used this before and was impressed with the results, it uses the NIST CVE database to check all project dependencies. The problem with this kind of tool is that it is a static analysis which generally doesn't catch things like SQL injection, XSS or ENTITY expansion that occur at runtime (it will ofcourse raise a flag if it's a known bad dependency). That would still require a pen test with something like the Zed Attack Proxy [3] Also, there are false positives to handle and investigate. I have an example, running as part of the site phase, setup here [4], report here [5] [1] https://www.owasp.org/index.php/OWASP_Dependency_Check [2] https://github.com/jeremylong/DependencyCheck [3] https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project [4] https://github.com/MinELenI/CBSviewer/blob/master/pom.xml#L801 [5] http://mineleni.github.io/CBSviewer/dependency-check-report.html Mark -- Disclaimer; This message is just a reflection of what I thought at the time of sending. The message may contain information that is not intended for you or that you don't understand. ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ GeoTools-Devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geotools-devel
