On 1 Oct 2014, at 7:44, David Dillard wrote:
Hi,
I've been working on an internal presentation on how letting Maven's
dependency mediation feature select versions of transitive
dependencies can introduce vulnerabilities into a product and how to
deal with that problem. Unfortunately, it's a very manual process and
I was thinking that perhaps changes could be made to Maven that would
provide better automation. To that end I'm wondering if the team has
ever considered adding a section to the POM that would list
significant changes in that release. This would include a list of
vulnerabilities fixed (e.g. CVE-XXXX-YYYY) or serious bugs fixed.
Each one could include a known set of versions affected (ala how CVEs
work today) thus allowing tooling to say: the version of artifact XYZ
you're using has a known vulnerability, would you like to upgrade to
this new version with that vuln fixed?
There already exists a plugin covering a lot of this, using the CVE
databases:
https://github.com/jeremylong/DependencyCheck
This comes with a CLI, Jenkins, Maven, and Ant tasks for checking your
dependencies/jars against CVE vulnerabilities.
Does this cover all the things you're working on? Maybe join forces?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
