[
https://issues.apache.org/jira/browse/NIFI-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16594029#comment-16594029
]
Albert Baker edited comment on NIFI-5541 at 8/27/18 5:55 PM:
-------------------------------------------------------------
Joseph : I completely understand the legacy/installed base issue. I have been
developing systems for 30 yrs. My worry is that pushing the security work off
to 10,000 different deveopment/deployment/integration teams will force 10,000
diff team to duplicate the same work /and/ not have the benefit of that work
reflected in the core apache component, and be therefore /a lot of lost
effort/. IMO.... we can 1. test changes individually & find the ones that dont
break the system. 2. combine changes in combination to find sets of fixes that
together dont break the system. 3 make a realease. to start. This is also
a lesson for all dev teams to not let things go so long. If minor upgrades had
been happening all along, we would be ne in this place. If we can get to a
releave with no known CVEs, then the monthly maint. will be easy.
was (Author: abakeriii):
Joseph : I completely understand the legacy/installed base issue. I have been
developing systems for 30 yrs. My worry is that pushing the security work off
to 10,000 different deveopment/deployment/integration teams will force 10,000
diff team to duplicate the same work /and/ not have the benefit of that work
reflected in the core apache component, and be therefore /a lot of lost
effort/. IMO.... we can 1. test changes individually & find the ones that dont
break the system. 2. combine changes in combination to find sets of fixes that
together dont break the system. 3 make a realease. to start.
> Please add OWASP Dependency Check to the build (pom.xml)
> --------------------------------------------------------
>
> Key: NIFI-5541
> URL: https://issues.apache.org/jira/browse/NIFI-5541
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Tools and Build
> Affects Versions: 2.0.0, 1.8.0
> Environment: All development, build, test, environments.
> Reporter: Albert Baker
> Assignee: Pierre Villard
> Priority: Major
> Labels: build, easy-fix, security
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Please add OWASP Dependency Check to the build (pom.xml). OWASP DC makes an
> outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to
> perform a lookup for each dependant .jar to list any/all known
> vulnerabilities for each jar. This step is needed because a manual MITRE CVE
> lookup/check on the main component does not include checking for
> vulnerabilities that get pulled into the released product via
> dependant/third-party libraries.
> OWASP Dependency check :
> https://www.owasp.org/index.php/OWASP_Dependency_Check has plug-ins for most
> Java build/make types (ant, maven, ivy, gradle).
> Also, add the appropriate command to the nightly build to generate a report
> of all known vulnerabilities in any/all third party libraries/dependencies
> that get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false
> clean aggregate
> Generating this report nightly/weekly will help inform the project's
> development team if any dependant libraries have a newly discovered &
> reported (known) vulnerailities. Project teams that keep up with removing
> known vulnerabilities on a weekly basis will help protect businesses that
> rely on these open source componets.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
