You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Robert Munteanu (Jira)" <ji...@apache.org> on 2022/01/13 10:36:00 UTC
[jira] [Created] (SLING-11057) Security scanning for the Sling Starter during CI checks
Robert Munteanu created SLING-11057:
---------------------------------------
Summary: Security scanning for the Sling Starter during CI checks
Key: SLING-11057
URL: https://issues.apache.org/jira/browse/SLING-11057
Project: Sling
Issue Type: Improvement
Components: Starter
Reporter: Robert Munteanu
Fix For: Starter 12
I think we should consider security scanning the Starter, as a packaged application, during CI checks. This will help us not ship with vulnerable dependencies.
I have found two potential candidates:
- the [OSS index Maven Plugin|https://sonatype.github.io/ossindex-maven/maven-plugin/] which uses the [Sonatype OSS index|https://ossindex.sonatype.org/] and scans the Maven dependencies
- [Trivy|https://github.com/aquasecurity/trivy] which uses the Snyk Database for Java and various other sources .Trivy scans container images (or local directories ).
We should probably do both, once we start producing Docker images in the starter project ( SLING-9638 ).
One thing which I'm not certain about is failing the build on such checks. A working build can be broken because a CVE was published for an existing component. But the alternative is probably not finding about it. Maybe we can separate these checks in a separate Jenkins step that comes at the end, so it's clear that the main build passes but the Starter can't be shipped with vulnerable dependencies.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)