[
https://issues.apache.org/jira/browse/NIFI-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17314959#comment-17314959
]
David Handermann commented on NIFI-5541:
----------------------------------------
Revisiting this issue after recent discussions with [~pvillard], GitHub PR 4971
includes the OWASP build profile with the most recent version of the Maven
dependency-check plugin.
As described in previous comments on this issue, and as noted in the PR,
vulnerability analysis requires careful examination of the individual
dependency listed in reference to where it is used in NiFi. That being said,
having the optional build profile will provide a starting point for interested
contributors to address potential problems with outdated dependencies.
Individual dependencies should be addressed on a case-by-case basis with
individual Jira issues and associated Pull Requests, but having this build
profile is a useful summary. With the build profile being optional, it will
not impact existing workflows or automated builds.
> Please add OWASP Dependency Check to the build (pom.xml)
> --------------------------------------------------------
>
> Key: NIFI-5541
> URL: https://issues.apache.org/jira/browse/NIFI-5541
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Tools and Build
> Affects Versions: 2.0.0, 1.8.0
> Environment: All development, build, test, environments.
> Reporter: Albert Baker
> Assignee: David Handermann
> Priority: Major
> Labels: build, easy-fix, security
> Original Estimate: 1h
> Time Spent: 20m
> Remaining Estimate: 40m
>
> Please add OWASP Dependency Check to the build (pom.xml). OWASP DC makes an
> outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to
> perform a lookup for each dependant .jar to list any/all known
> vulnerabilities for each jar. This step is needed because a manual MITRE CVE
> lookup/check on the main component does not include checking for
> vulnerabilities that get pulled into the released product via
> dependant/third-party libraries.
> OWASP Dependency check :
> https://www.owasp.org/index.php/OWASP_Dependency_Check has plug-ins for most
> Java build/make types (ant, maven, ivy, gradle).
> Also, add the appropriate command to the nightly build to generate a report
> of all known vulnerabilities in any/all third party libraries/dependencies
> that get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false
> clean aggregate
> Generating this report nightly/weekly will help inform the project's
> development team if any dependant libraries have a newly discovered &
> reported (known) vulnerailities. Project teams that keep up with removing
> known vulnerabilities on a weekly basis will help protect businesses that
> rely on these open source componets.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
