You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Robert Munteanu (Jira)" <ji...@apache.org> on 2022/01/13 10:36:00 UTC

[jira] [Created] (SLING-11057) Security scanning for the Sling Starter during CI checks

Robert Munteanu created SLING-11057:
---------------------------------------

             Summary: Security scanning for the Sling Starter during CI checks
                 Key: SLING-11057
                 URL: https://issues.apache.org/jira/browse/SLING-11057
             Project: Sling
          Issue Type: Improvement
          Components: Starter
            Reporter: Robert Munteanu
             Fix For: Starter 12


I think we should consider security scanning the Starter, as a packaged application, during CI checks. This will help us not ship with vulnerable dependencies.

I have found two potential candidates:
 - the [OSS index Maven Plugin|https://sonatype.github.io/ossindex-maven/maven-plugin/] which uses the [Sonatype OSS index|https://ossindex.sonatype.org/] and scans the Maven dependencies
 - [Trivy|https://github.com/aquasecurity/trivy] which uses the Snyk Database for Java and various other sources .Trivy scans container images (or local directories ).

We should probably do both, once we start producing Docker images in the starter project ( SLING-9638 ).

One thing which I'm not certain about is failing the build on such checks. A working build can be broken because a CVE was published for an existing component. But the alternative is probably not finding about it. Maybe we can separate these checks in a separate Jenkins step that comes at the end, so it's clear that the main build passes but the Starter can't be shipped with vulnerable dependencies.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)