I'm familiar with Black Duck and an older version of Palamida. The problem with them is that you see the vulnerabilities later in the dev cycle (usually). If done with Maven it could be a part of the build and thus found earlier.
I like the idea of including the CPE in the POM and that would make finding CVEs easy enough. Only issue there is, as you noted, that projects would have to submit to get their CPE before they have any vulnerabilities. Has anyone suggested this before? -----Original Message----- From: Jeremy Long [mailto:[email protected]] Sent: Tuesday, September 30, 2014 3:53 PM To: Maven Users List Subject: Re: Maven, Dependencies and Vulnerabilities There are commercial solutions (sonatype, contrast, blackduck, palamida, etc.) and FOSS solutions (dependency-check, victims, retire.js, etc.) to identify and report on known vulnerabilities. I would recommend looking at these solutions (note, I am the main contributed to dependency-check). A better solution for the POM modification would be to add a CPE identifier. This would also be a great entry for a jar file's manifest. CPE identifiers can be requested even if there are no known CVEs, but the CPE can be used to lookup the related CVEs. -jeremy @ctxt On Sep 30, 2014 2:45 PM, "David Dillard" <[email protected]> wrote: > Hi, > > I've been working on an internal presentation on how letting Maven's > dependency mediation feature select versions of transitive > dependencies can introduce vulnerabilities into a product and how to > deal with that problem. Unfortunately, it's a very manual process and > I was thinking that perhaps changes could be made to Maven that would > provide better automation. To that end I'm wondering if the team has > ever considered adding a section to the POM that would list > significant changes in that release. This would include a list of > vulnerabilities fixed (e.g. > CVE-XXXX-YYYY) or serious bugs fixed. Each one could include a known > set of versions affected (ala how CVEs work today) thus allowing > tooling to > say: the version of artifact XYZ you're using has a known > vulnerability, would you like to upgrade to this new version with that vuln > fixed? > > On a related note, has a different dependency mediation system ever > been considered (as an option), e.g. latest version or latest version > on a branch? > > > Thanks, > > David > >
