[wildfly-dev] Implementing enforce-victims-rule in wildfly builds
David Jorm
djorm at redhat.com
Thu May 30 04:01:28 EDT 2013
> > Hi All
> >
> > First I should introduce myself for those who don't know me, as I have
> > not participated in wildfly dev discussions before. I am a security
> > response engineer working for Red Hat, handling security patches for the
> > commercial JBoss products. Recently some colleagues and I have been
> > working on a tool called 'victims'. The victims tool aims to provide a
> > canonical database of known-vulnerable JAR files, along with tools that
> > allow developers and system administrator to determine whether their
> > projects and systems contain any known-vulnerable JARs. The project's
> > about page contains a more detailed explanation:
> >
> > http://www.victi.ms/about.html
> >
> > enforce-victims-rule is a maven plugin that walks the dependency tree at
> > build time, and uses the victims database to check whether a project is
> > including any known-vulnerable JARs as dependencies. The plugin is
> > available on maven central:
> >
> > http://search.maven.org/#artifactdetails|com.redhat.victims|enforce-victims-rule|1.2|jar
> >
> > Please see the README.md and sample app here for configuration details:
> >
> > https://github.com/victims/victims-enforcer
> >
> > I think there would be great value in incorporating this plugin into the
> > wildfly POM(s). It can catch security flaws at build time, eliminating
> > the need for much more work to ship patches for flaws later down the
> > line. It is also designed such that it should not trigger any false
> > positives. There will be false negatives where there are gaps in the
> > database.
> >
> > What do people think? Is this something you'd consider implementing?
>
> What is the build time performance impact? Is there a network lookup,
> i.e. will it cause a problem on non-network-connected systems (like
> laptops for those of us who travel)?
>
> --
> - DML
>
Good questions, my apologies for the delayed response.
Performance impact:
I can't give you a good answer yet, we're currently working on some benchmarking and I will respond to the list once I have useful figures to share.
Network lookup:
By default, the plugin synchronizes a local h2 database with the canonical database hosted on victi.ms. The sync is differential. At the moment, the initial sync is > 50MB and could take a minute or two. After the initial sync, subsequent syncs will either contain no new records or very few new records, and will only take a few seconds. Synchronization can be disabled so long as a local h2 database exists. The README.md here:
https://github.com/victims/victims-enforcer/tree/master/sample
Explains how to disable sync in an offline environment.
Thanks
David
More information about the wildfly-dev
mailing list