You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org> on 2018/08/06 09:55:00 UTC
[jira] [Commented] (SYNCOPE-1349) Please add OWASP Dependency Check
to the build (pom.xml)
[ https://issues.apache.org/jira/browse/SYNCOPE-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16569968#comment-16569968 ]
Francesco Chicchiriccò commented on SYNCOPE-1349:
-------------------------------------------------
I have added a profile as follows to the root pom.xml:
{code}
<profile>
<id>owasp</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>3.3.0</version>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<modules>
<module>docker</module>
</modules>
</profile>
{code}
and obtained the attached report, which is mostly pointless: for example, it identifies {{cpe:/a:apache:cxf:2.0.10}} for {{syncope-core-rest-cxf-2.0.10-SNAPSHOT.jar}}, or {{cpe:/a:apache:geronimo:4.8}} for {{xbean-asm6-shaded-4.8.jar}} - and many others like these.
> Please add OWASP Dependency Check to the build (pom.xml)
> --------------------------------------------------------
>
> Key: SYNCOPE-1349
> URL: https://issues.apache.org/jira/browse/SYNCOPE-1349
> Project: Syncope
> Issue Type: New Feature
> Affects Versions: 2.0.10, 2.1.1, 3.0.0
> Environment: All development, build, test, environments.
> Reporter: Albert Baker
> Priority: Major
> Labels: build, easy-fix, security
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Please add OWASP Dependency Check to the build (pom.xml). OWASP DC makes an outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to perform a lookup for each dependant .jar to list any/all known vulnerabilities for each jar. This step is needed because a manual MITRE CVE lookup/check on the main component does not include checking for vulnerabilities in components or in dependant libraries.
> OWASP Dependency check : https://www.owasp.org/index.php/OWASP_Dependency_Check has plug-ins for most Java build/make types (ant, maven, ivy, gradle).
> Also, add the appropriate command to the nightly build to generate a report of all known vulnerabilities in any/all third party libraries/dependencies that get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false clean aggregate
> Generating this report nightly/weekly will help inform the project's development team if any dependant libraries have a reported known vulnerailities. Project teams that keep up with removing vulnerabilities on a weekly basis will help protect businesses that rely on these open source componets.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Re: [jira] [Commented] (SYNCOPE-1349) Please add OWASP Dependency
Check to the build (pom.xml)
Posted by Massimiliano Perrone <ma...@tirasa.net>.
Ciao Francecsco,
I don't know if OWASP is pointless or not because I don't see the report.
But looking for his username and "owasp" on Google, I saw that he had
open the same issue on several Apache project [1], [2] and [3].
I think (and hope) he is "only" a spammer...
BR,
Massi
[1]
http://mail-archives.apache.org/mod_mbox/mahout-dev/201807.mbox/%3CJIRA.13175453.1532912821000.114447.1532912880080@Atlassian.JIRA%3E
[2] https://www.mail-archive.com/issues@spark.apache.org/msg197234.html
[3] https://jira.apache.org/jira/browse/CXF-7809
Il 06/08/2018 11:55, Francesco Chicchiriccò (JIRA) ha scritto:
> [ https://issues.apache.org/jira/browse/SYNCOPE-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16569968#comment-16569968 ]
>
> Francesco Chicchiriccò commented on SYNCOPE-1349:
> -------------------------------------------------
>
> I have added a profile as follows to the root pom.xml:
>
> {code}
> <profile>
> <id>owasp</id>
>
> <build>
> <plugins>
> <plugin>
> <groupId>org.owasp</groupId>
> <artifactId>dependency-check-maven</artifactId>
> <version>3.3.0</version>
> <executions>
> <execution>
> <goals>
> <goal>aggregate</goal>
> </goals>
> </execution>
> </executions>
> </plugin>
> </plugins>
> </build>
>
> <modules>
> <module>docker</module>
> </modules>
> </profile>
> {code}
>
> and obtained the attached report, which is mostly pointless: for example, it identifies {{cpe:/a:apache:cxf:2.0.10}} for {{syncope-core-rest-cxf-2.0.10-SNAPSHOT.jar}}, or {{cpe:/a:apache:geronimo:4.8}} for {{xbean-asm6-shaded-4.8.jar}} - and many others like these.
>
>> Please add OWASP Dependency Check to the build (pom.xml)
>> --------------------------------------------------------
>>
>> Key: SYNCOPE-1349
>> URL: https://issues.apache.org/jira/browse/SYNCOPE-1349
>> Project: Syncope
>> Issue Type: New Feature
>> Affects Versions: 2.0.10, 2.1.1, 3.0.0
>> Environment: All development, build, test, environments.
>> Reporter: Albert Baker
>> Priority: Major
>> Labels: build, easy-fix, security
>> Original Estimate: 1h
>> Remaining Estimate: 1h
>>
>> Please add OWASP Dependency Check to the build (pom.xml). OWASP DC makes an outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to perform a lookup for each dependant .jar to list any/all known vulnerabilities for each jar. This step is needed because a manual MITRE CVE lookup/check on the main component does not include checking for vulnerabilities in components or in dependant libraries.
>> OWASP Dependency check : https://www.owasp.org/index.php/OWASP_Dependency_Check has plug-ins for most Java build/make types (ant, maven, ivy, gradle).
>> Also, add the appropriate command to the nightly build to generate a report of all known vulnerabilities in any/all third party libraries/dependencies that get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false clean aggregate
>> Generating this report nightly/weekly will help inform the project's development team if any dependant libraries have a reported known vulnerailities. Project teams that keep up with removing vulnerabilities on a weekly basis will help protect businesses that rely on these open source componets.
>
>
> --
> This message was sent by Atlassian JIRA
> (v7.6.3#76005)
--
Massimiliano Perrone
Tel +39 393 9121310
Tirasa S.r.l.
http://www.tirasa.net
"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)