[
https://issues.apache.org/jira/browse/NIFI-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16620101#comment-16620101
]
Albert Baker edited comment on NIFI-5541 at 9/19/18 4:49 AM:
-------------------------------------------------------------
Here is a possible course of action for apache projects to cull out
old-n-busted third party libs.
1 Get OS component project to build
2 Get all tests to run
3 Run OWASP Dependency Check to discover third-party library vulnerabilities
4 [optional] build a displayable dependency tree
[optional]
http://www.summa.com/blog/2011/04/12/a-visual-maven-dependency-tree-view
[optional] mvn dependency:tree > tree.txt
5 Find - upgradeable dependencies & Configure the tool to not display
alpha/beta/snapshots etc
https://stackoverflow.com/questions/38146719/how-to-display-dependency-updates-only-for-release-versions
mvn versions:display-dependency-updates
6 couple the list of most recent versions w/odc to see what v are quickly m
6 Update poms w/best-latest versions
7 re-run tests
8 re-run the OWASP Dependency check
8 If a sub-component or library that this project depends on has a
vulnerability in its latest version, author a jira ticket on that project to
fix it.
was (Author: abakeriii):
Here is a possible course of action for apache projects to cull out
old-n-busted third party libs.
# Get OS component project to build
# Get all tests to run
# Run OWASP Dependency Check to discover third-party library vulnerabilities
# [optional] build a displayable dependency tree
# [optional]
http://www.summa.com/blog/2011/04/12/a-visual-maven-dependency-tree-view
[optional] mvn dependency:tree > tree.txt
# Find - upgradeable dependencies & Configure the tool to not display
alpha/beta/snapshots etc
#
https://stackoverflow.com/questions/38146719/how-to-display-dependency-updates-only-for-release-versions
mvn versions:display-dependency-updates
# couple the list of most recent versions w/odc to see what v are quickly m
# Update poms w/best-latest versions
# re-run tests
# re-run the OWASP Dependency check
# If a sub-component or library that this project depends on has a
vulnerability in its latest version, author a jira ticket on that project to
fix it.
> Please add OWASP Dependency Check to the build (pom.xml)
> --------------------------------------------------------
>
> Key: NIFI-5541
> URL: https://issues.apache.org/jira/browse/NIFI-5541
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Tools and Build
> Affects Versions: 2.0.0, 1.8.0
> Environment: All development, build, test, environments.
> Reporter: Albert Baker
> Assignee: Pierre Villard
> Priority: Major
> Labels: build, easy-fix, security
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Please add OWASP Dependency Check to the build (pom.xml). OWASP DC makes an
> outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to
> perform a lookup for each dependant .jar to list any/all known
> vulnerabilities for each jar. This step is needed because a manual MITRE CVE
> lookup/check on the main component does not include checking for
> vulnerabilities that get pulled into the released product via
> dependant/third-party libraries.
> OWASP Dependency check :
> https://www.owasp.org/index.php/OWASP_Dependency_Check has plug-ins for most
> Java build/make types (ant, maven, ivy, gradle).
> Also, add the appropriate command to the nightly build to generate a report
> of all known vulnerabilities in any/all third party libraries/dependencies
> that get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false
> clean aggregate
> Generating this report nightly/weekly will help inform the project's
> development team if any dependant libraries have a newly discovered &
> reported (known) vulnerailities. Project teams that keep up with removing
> known vulnerabilities on a weekly basis will help protect businesses that
> rely on these open source componets.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
