[wildfly-dev] Implementing enforce-victims-rule in wildfly builds

Vaclav Tunka vtunka at redhat.com
Mon May 27 10:16:20 EDT 2013


Hi,

I think it is a good idea implementing this upstream in wildfly, as this 
tool requires POM modifications. This tool would help us tracking 
security vulnerabilities proactively rather than retroactively both in 
wildfly and Enterprise Platforms.

Are you OK with that?

Cheers,
Vaclav

On 05/27/2013 07:03 AM, David Jorm wrote:
> Hi All
>
> First I should introduce myself for those who don't know me, as I have not participated in wildfly dev discussions before. I am a security response engineer working for Red Hat, handling security patches for the commercial JBoss products. Recently some colleagues and I have been working on a tool called 'victims'. The victims tool aims to provide a canonical database of known-vulnerable JAR files, along with tools that allow developers and system administrator to determine whether their projects and systems contain any known-vulnerable JARs. The project's about page contains a more detailed explanation:
>
> http://www.victi.ms/about.html
>
> enforce-victims-rule is a maven plugin that walks the dependency tree at build time, and uses the victims database to check whether a project is including any known-vulnerable JARs as dependencies. The plugin is available on maven central:
>
> http://search.maven.org/#artifactdetails|com.redhat.victims|enforce-victims-rule|1.2|jar
>
> Please see the README.md and sample app here for configuration details:
>
> https://github.com/victims/victims-enforcer
>
> I think there would be great value in incorporating this plugin into the wildfly POM(s). It can catch security flaws at build time, eliminating the need for much more work to ship patches for flaws later down the line. It is also designed such that it should not trigger any false positives. There will be false negatives where there are gaps in the database.
>
> What do people think? Is this something you'd consider implementing?
>
> Thanks
>

-- 
Vaclav Tunka
Enterprise Application Platforms
JBoss by Red Hat


More information about the wildfly-dev mailing list