[
https://issues.apache.org/jira/browse/FINERACT-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rahul Goel updated FINERACT-1585:
---------------------------------
Labels: gsoc2022 mentor part-time (was: gsoc2022 part-time)
> Static Analysis and Vulnerability Scanning of Apache Fineract CN
> ----------------------------------------------------------------
>
> Key: FINERACT-1585
> URL: https://issues.apache.org/jira/browse/FINERACT-1585
> Project: Apache Fineract
> Issue Type: Improvement
> Reporter: Rahul Goel
> Priority: Minor
> Labels: gsoc2022, mentor, part-time
>
> As our product is core banking platform and our clients are financial
> institutions, we strive hard to make our code base as secure as possible.
> However, due to ever increasing security threats and vulnerabilities, it is
> the need of hour that we analyze our code base in depth for security
> vulnerabilities. During pull request merge process, we have a process in
> place wherein we do peer code review,QA and integration tests. This practice
> has been very effective and our community is already reaping the benefits of
> such a strong code review process. However, we should test our code against
> the standard vulnerabilities which have been identified by reputed
> organisations like [Mitre|https://www.mitre.org/] to gain more confidence. It
> has become a critical part of independent and partner-led deployments
>
> We can make use of opensource tools like
> [Jlint|http://jlint.sourceforge.net/],
> [Findbugs|http://findbugs.sourceforge.net/] ,
> [SonarQube|https://www.sonarqube.org/] or frameworks like [Total output
> Integration Framework
> (TOIF)|http://kdmanalytics.com/resources/open-source-toif/] - used by
> companies dedicated to produce military grade secure systems. As our
> environments become more containerized we can also utilize tools like:
> [Anchore|https://anchore.com/opensource/], [Snyk.io|https://snyk.io/], and
> [Docker Bench for Security|https://github.com/docker/docker-bench-security]
> It would be worthwhile, if we can dedicate one GSOC project for this
> analysis. The student would be responsible to analyse the findings, generate
> reports, identify if it is really a bug and then submit a fix after
> consultation from the community. Of course, the student needs to demonstrate
> some basic understanding of security vulnerabilities( like buffer overflow
> etc) and should have some academic level of experience working with static
> analysis tools.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
