You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Shawn McKinney (JIRA)" <ji...@apache.org> on 2018/09/07 14:16:00 UTC
[jira] [Commented] (FC-240) Please add OWASP Dependency Check to
the build (pom.xml)
[ https://issues.apache.org/jira/browse/FC-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16607159#comment-16607159 ]
Shawn McKinney commented on FC-240:
-----------------------------------
Howto:
1. Add new plugin to fortress-core pom.xml:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>3.3.1</version>
<configuration>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
</configuration>
</plugin>
2. Add new profile to fortress-core pom.xml:
<profile>
<id>owasp</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
3. Testit:
mvn install -Powasp
4. Result:
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 02:24 min
[INFO] Finished at: 2018-09-07T09:12:35-05:00
[INFO] Final Memory: 39M/880M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:3.3.1:check (default) on project fortress-core:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities:
[ERROR]
[ERROR] accelerator-api-1.0-RC41.jar: CVE-2006-5779, CVE-2002-1508, CVE-2009-3767, CVE-2013-4449, CVE-2011-4079, CVE-2017-14159, CVE-2002-1378, CVE-2002-0045, CVE-2002-1379, CVE-2006-6493, CVE-2007-6698, CVE-2012-1164, CVE-2017-9287, CVE-2005-4442, CVE-2015-3276, CVE-2017-17740, CVE-2005-2069, CVE-2012-2668, CVE-2015-6908
[ERROR]
[ERROR] See the dependency-check report for more details.
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
smckinn@ubuntu:~/GIT/fortressDev/directory-fortress-core$ mvn install -Powasp
> Please add OWASP Dependency Check to the build (pom.xml)
> --------------------------------------------------------
>
> Key: FC-240
> URL: https://issues.apache.org/jira/browse/FC-240
> Project: FORTRESS
> Issue Type: New Feature
> Affects Versions: 2.0.2, 3.0.1-RC1
> Environment: All development, build, test, environments.
> Reporter: Albert Baker
> Assignee: Shawn McKinney
> Priority: Major
> Labels: build, easy-fix, security
> Fix For: 2.0.2
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Please add OWASP Dependency Check to the build (pom.xml). OWASP DC makes an outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to perform a lookup for each dependant .jar to list any/all known vulnerabilities for each jar. This step is needed because a manual MITRE CVE lookup/check on the main component does not include checking for vulnerabilities in components or in dependant libraries.
> OWASP Dependency check : https://www.owasp.org/index.php/OWASP_Dependency_Check has plug-ins for most Java build/make types (ant, maven, ivy, gradle).
> Also, add the appropriate command to the nightly build to generate a report of all known vulnerabilities in any/all third party libraries/dependencies that get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false clean aggregate
> Generating this report nightly/weekly will help inform the project's development team if any dependant libraries have a reported known vulnerailities. Project teams that keep up with removing vulnerabilities on a weekly basis will help protect businesses that rely on these open source componets.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)