[jira] [Commented] (HBASE-29201) Add OWASP Dependency Check to check 3rd party dependencies for known vulnerabilities

[Jira]

    [ 
https://issues.apache.org/jira/browse/HBASE-29201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17937304#comment-17937304
 ] 

Dávid Paksy commented on HBASE-29201:
-------------------------------------

Many thanks [~stoty] for implementing this. 

> Add OWASP Dependency Check to check 3rd party dependencies for known 
> vulnerabilities
> ------------------------------------------------------------------------------------
>
>                 Key: HBASE-29201
>                 URL: https://issues.apache.org/jira/browse/HBASE-29201
>             Project: HBase
>          Issue Type: Improvement
>          Components: build
>            Reporter: Dávid Paksy
>            Assignee: Istvan Toth
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.7.0, 3.0.0-beta-2, 2.6.3, 2.5.12
>
>
> h1. OWASP Dependency-Check
> {quote}Dependency-Check is a Software Composition Analysis (SCA) tool that 
> attempts to detect publicly disclosed vulnerabilities contained within a 
> project’s dependencies. It does this by determining if there is a Common 
> Platform Enumeration (CPE) identifier for a given dependency. If found, it 
> will generate a report linking to the associated CVE entries.
> {quote}
> [https://owasp.org/www-project-dependency-check/]
>  
> It provides a Maven plugin which we could integrate into the build:
>  * [https://jeremylong.github.io/DependencyCheck/dependency-check-maven/]
>  * [https://mvnrepository.com/artifact/org.owasp/dependency-check-maven]
>  
> Questions / open points:
>  * How frequently should this be run? Would probably not make sense to run it 
> more frequently than weekly.
>  * Without an API key the scan will be a bit slow but it will still work.
>  * Dependency-check automatically updates itself using the [NVD Data 
> Feeds|https://nvd.nist.gov/vuln/data-feeds] hosted by NIST. ‘'’IMPORTANT 
> NOTE:’’’ The initial download of the data may take ten minutes or more. If 
> you run the tool at least once every seven days, only a small JSON file needs 
> to be downloaded to keep the local copy of the data current.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)