[jira] [Updated] (HBASE-29201) Add OWASP Dependency Check to check 3rd party dependencies for known vulnerabilities

Sun, 30 Mar 2025 03:50:12 -0700 


     [ 
https://issues.apache.org/jira/browse/HBASE-29201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth updated HBASE-29201:
--------------------------------
    Fix Version/s: 2.7.0
                   3.0.0-beta-2
                   2.6.3
                   2.5.12
       Resolution: Fixed
           Status: Resolved  (was: Patch Available)

Committed to all active branches.
Thanks for the reviews and discussion [~paksyd] , [~nihaljain.cs] , [~zhangduo] 
and [~ndimiduk] .

> Add OWASP Dependency Check to check 3rd party dependencies for known 
> vulnerabilities
> ------------------------------------------------------------------------------------
>
>                 Key: HBASE-29201
>                 URL: https://issues.apache.org/jira/browse/HBASE-29201
>             Project: HBase
>          Issue Type: Improvement
>          Components: build
>            Reporter: Dávid Paksy
>            Assignee: Istvan Toth
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.7.0, 3.0.0-beta-2, 2.6.3, 2.5.12
>
>
> h1. OWASP Dependency-Check
> {quote}Dependency-Check is a Software Composition Analysis (SCA) tool that 
> attempts to detect publicly disclosed vulnerabilities contained within a 
> project’s dependencies. It does this by determining if there is a Common 
> Platform Enumeration (CPE) identifier for a given dependency. If found, it 
> will generate a report linking to the associated CVE entries.
> {quote}
> [https://owasp.org/www-project-dependency-check/]
>  
> It provides a Maven plugin which we could integrate into the build:
>  * [https://jeremylong.github.io/DependencyCheck/dependency-check-maven/]
>  * [https://mvnrepository.com/artifact/org.owasp/dependency-check-maven]
>  
> Questions / open points:
>  * How frequently should this be run? Would probably not make sense to run it 
> more frequently than weekly.
>  * Without an API key the scan will be a bit slow but it will still work.
>  * Dependency-check automatically updates itself using the [NVD Data 
> Feeds|https://nvd.nist.gov/vuln/data-feeds] hosted by NIST. ‘'’IMPORTANT 
> NOTE:’’’ The initial download of the data may take ten minutes or more. If 
> you run the tool at least once every seven days, only a small JSON file needs 
> to be downloaded to keep the local copy of the data current.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to