[jira] [Commented] (NIFI-5541) Please add OWASP Dependency Check to the build (pom.xml)

Fri, 24 Aug 2018 15:51:09 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16592289#comment-16592289
 ] 

Joseph Witt commented on NIFI-5541:
-----------------------------------

Albert - it is important to do such scans as a tool to provide information on 
where there may be vulnerabilities in libraries we leverage.  That does not 
however inform us on whether our usage of those libraries expose those 
vulnerabilities.  Such a report is a tool and one we should leverage.  

This list means 'these are library versions used in the project which have 
reported CVEs' - no more - no less.

> Please add OWASP Dependency Check to the build (pom.xml)
> --------------------------------------------------------
>
>                 Key: NIFI-5541
>                 URL: https://issues.apache.org/jira/browse/NIFI-5541
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Tools and Build
>    Affects Versions: 2.0.0, 1.8.0
>         Environment: All development, build, test, environments.
>            Reporter: Albert Baker
>            Assignee: Pierre Villard
>            Priority: Major
>              Labels: build, easy-fix, security
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
>  Please add OWASP Dependency Check to the build (pom.xml).  OWASP DC makes an 
> outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to 
> perform a lookup for each dependant .jar to list any/all known 
> vulnerabilities for each jar.  This step is needed because a manual MITRE CVE 
> lookup/check on the main component does not include checking for 
> vulnerabilities that get pulled into the released product via 
> dependant/third-party libraries.
> OWASP Dependency check : 
> https://www.owasp.org/index.php/OWASP_Dependency_Check has plug-ins for most 
> Java build/make types (ant, maven, ivy, gradle).   
> Also, add the appropriate command to the nightly build to generate a report 
> of all known vulnerabilities in any/all third party libraries/dependencies 
> that get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false 
> clean aggregate
> Generating this report nightly/weekly will help inform the project's 
> development team if any dependant libraries have a newly discovered & 
> reported (known) vulnerailities.  Project teams that keep up with removing 
> known vulnerabilities on a weekly basis will help protect businesses that 
> rely on these open source componets.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to