Dependency Verification in Netbeans

[Eric Bresie <eb...@gmail.com>]

While reading an article (1) (2) on openjfx mailing list, I notice they are
starting to implement dependency verification oat build time.  They also
provide a few additional links (3) and I found another on the value of it
(4).


Does Netbeans plan to do something like this?


(1) https://mail.openjdk.java.net/pipermail/openjfx-dev/2021-May/030138.html

(2) https://mail.openjdk.java.net/pipermail/openjfx-dev/2021-May/030142.html

(3)
https://wwws.nightwatchcybersecurity.com/2021/04/25/supply-chain-attacks-via-github-com-releases/

(4) “Dependency verification: checksum vs PGP” by Vladimir Sitnikov
https://link.medium.com/sor9gXcZhgb


Eric
-- 
Eric Bresie
ebresie@gmail.com

Re: Dependency Verification in Netbeans

[Matthias Bläsing <mb...@doppel-helix.eu>]

Hi,

Am Samstag, dem 15.05.2021 um 16:55 -0500 schrieb Eric Bresie:
> [Dependency verification]
> 
> Does Netbeans plan to do something like this?
> 

NetBeans already does something like this:

Download is executed:

https://github.com/apache/netbeans/blob/1dc4113f2a46656dd852cfedcafd12d52d7e73fa/nbbuild/antsrc/org/netbeans/nbbuild/extlibs/DownloadBinaries.java#L220-L240

The downloaded File is then verified against the provided hash:

https://github.com/apache/netbeans/blob/1dc4113f2a46656dd852cfedcafd12d52d7e73fa/nbbuild/antsrc/org/netbeans/nbbuild/extlibs/DownloadBinaries.java#L244-L250

One can argue, that SHA-1 is not a good hash to use anymore, but the
machinary is there and there was at least one attempt to add higher
algorithms.

Greetings

Matthias




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: Dependency Verification in Netbeans

[Davide Grandi <da...@email.it>]

On the owasp (Open Web Application Security Project) site there's a

-> Maven plugin <-
    https://owasp.org/www-project-dependency-check/
    https://github.com/jeremylong/DependencyCheck
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/

that performs checks at build time against a CVE db.

And, in fact, some dependency could go directly from
some hacked repository to the heart of some "big customer"
IT structure.
And the phone calls of security managers must be handled ...
... BEFORE they call.

It happens also for costly and branded products : I've
seen key components built with "beta" releases not available
anymore in any repository on the world ...

happy digging, thank-you for the references, and share the results

     Davide Grandi

On 15/05/2021 23:55, Eric Bresie wrote:
> While reading an article (1) (2) on openjfx mailing list, I notice they are
> starting to implement dependency verification oat build time.  They also
> provide a few additional links (3) and I found another on the value of it
> (4).
>
>
> Does Netbeans plan to do something like this?
>
>
> (1) https://mail.openjdk.java.net/pipermail/openjfx-dev/2021-May/030138.html
>
> (2) https://mail.openjdk.java.net/pipermail/openjfx-dev/2021-May/030142.html
>
> (3)
> https://wwws.nightwatchcybersecurity.com/2021/04/25/supply-chain-attacks-via-github-com-releases/
>
> (4) “Dependency verification: checksum vs PGP” by Vladimir Sitnikov
> https://link.medium.com/sor9gXcZhgb
>
>
> Eric

-- 
ing. Davide Grandi
email    : davide.grandi@email.it
linkedin : http://linkedin.com/in/davidegrandi


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists