[wildfly-dev] Implementing enforce-victims-rule in wildfly builds

David M. Lloyd david.lloyd at redhat.com
Thu May 30 12:42:44 EDT 2013 

On Thu, 30 May 2013, David Jorm wrote:

>>> Hi All
>>>
>>> First I should introduce myself for those who don't know me, as I have
>>> not participated in wildfly dev discussions before. I am a security
>>> response engineer working for Red Hat, handling security patches for the
>>> commercial JBoss products. Recently some colleagues and I have been
>>> working on a tool called 'victims'. The victims tool aims to provide a
>>> canonical database of known-vulnerable JAR files, along with tools that
>>> allow developers and system administrator to determine whether their
>>> projects and systems contain any known-vulnerable JARs. The project's
>>> about page contains a more detailed explanation:
>>>
>>> http://www.victi.ms/about.html
>>>
>>> enforce-victims-rule is a maven plugin that walks the dependency tree at
>>> build time, and uses the victims database to check whether a project is
>>> including any known-vulnerable JARs as dependencies. The plugin is
>>> available on maven central:
>>>
>>> http://search.maven.org/#artifactdetails|com.redhat.victims|enforce-victims-rule|1.2|jar
>>>
>>> Please see the README.md and sample app here for configuration details:
>>>
>>> https://github.com/victims/victims-enforcer
>>>
>>> I think there would be great value in incorporating this plugin into the
>>> wildfly POM(s). It can catch security flaws at build time, eliminating
>>> the need for much more work to ship patches for flaws later down the
>>> line. It is also designed such that it should not trigger any false
>>> positives. There will be false negatives where there are gaps in the
>>> database.
>>>
>>> What do people think? Is this something you'd consider implementing?
>>
>> What is the build time performance impact?  Is there a network lookup,
>> i.e. will it cause a problem on non-network-connected systems (like
>> laptops for those of us who travel)?
>>
>> --
>> - DML
>>
>
> Good questions, my apologies for the delayed response.
>
> Performance impact: I can't give you a good answer yet, we're currently 
> working on some benchmarking and I will respond to the list once I have 
> useful figures to share.
>
> Network lookup: By default, the plugin synchronizes a local h2 database 
> with the canonical database hosted on victi.ms. The sync is 
> differential. At the moment, the initial sync is > 50MB and could take a 
> minute or two.

50MB?  Holy meatballs... is that a simple text listing of compromised 
GAVs?  If so, that is truly terrifying.

> After the initial sync, subsequent syncs will either 
> contain no new records or very few new records, and will only take a few 
> seconds. Synchronization can be disabled so long as a local h2 database 
> exists. The README.md here:
>
> https://github.com/victims/victims-enforcer/tree/master/sample
>
> Explains how to disable sync in an offline environment.
>
> Thanks
> David
>

-- 
- DML

More information about the wildfly-dev mailing list