[
https://issues.apache.org/jira/browse/FINERACT-1580?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rahul Goel updated FINERACT-1580:
---------------------------------
Priority: Minor (was: Major)
> Fix Critical Vulnerabilities from Static Analysis and Vulnerability Scanning
> of Apache Fineract 1.x
> ---------------------------------------------------------------------------------------------------
>
> Key: FINERACT-1580
> URL: https://issues.apache.org/jira/browse/FINERACT-1580
> Project: Apache Fineract
> Issue Type: Improvement
> Reporter: Rahul Goel
> Priority: Minor
> Labels: full-time, gsoc2022
>
> As our product is core banking platform and our clients are financial
> institutions, we strive hard to make our code base as secure as possible.
> However, due to ever increasing security threats and vulnerabilities, it is
> the need of hour that we analyze our code base in depth for security
> vulnerabilities. During pull request merge process, we have a process in
> place wherein we do peer code review,QA and integration tests. This practice
> has been very effective and our community is already reaping the benefits of
> such a strong code review process. However, we should test our code against
> the standard vulnerabilities which have been identified by reputed
> organisations like [Mitre|https://www.mitre.org/] to gain more confidence. It
> has become a critical part of independent and partner-led deployments
>
> We can make use of opensource tools like
> [Jlint|http://jlint.sourceforge.net/],
> [Findbugs|http://findbugs.sourceforge.net/] ,
> [SonarQube|https://www.sonarqube.org/] or frameworks like [Total output
> Integration Framework
> (TOIF)|http://kdmanalytics.com/resources/open-source-toif/] - used by
> companies dedicated to produce military grade secure systems. As our
> environments become more containerized we can also utilize tools like:
> [Anchore|https://anchore.com/opensource/], [Snyk.io|https://snyk.io/], and
> [Docker Bench for Security|https://github.com/docker/docker-bench-security]
> It would be worthwhile, if we can dedicate one GSOC project for this analysis
> and fixing of critical vulnerabilities and actual bugs. The student would be
> responsible to analyse the findings, generate reports, identify if it is
> really a bug and then submit a fix after consultation from the community. Of
> course, the student needs to demonstrate some basic understanding of security
> vulnerabilities( like buffer overflow etc) and should have some academic
> level of experience working with static analysis tools.
> Prioritization of Focus would be on:
> * Vulnerabilities, Hotspots, Bugs, and Code Smells in that order.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
