First I should introduce myself for those who don't know me, as I have not
participated in wildfly dev discussions before. I am a security response engineer working
for Red Hat, handling security patches for the commercial JBoss products. Recently some
colleagues and I have been working on a tool called 'victims'. The victims tool
aims to provide a canonical database of known-vulnerable JAR files, along with tools that
allow developers and system administrator to determine whether their projects and systems
contain any known-vulnerable JARs. The project's about page contains a more detailed
enforce-victims-rule is a maven plugin that walks the dependency tree at build time, and
uses the victims database to check whether a project is including any known-vulnerable
JARs as dependencies. The plugin is available on maven central:
Please see the README.md and sample app here for configuration details:
I think there would be great value in incorporating this plugin into the wildfly POM(s).
It can catch security flaws at build time, eliminating the need for much more work to ship
patches for flaws later down the line. It is also designed such that it should not trigger
any false positives. There will be false negatives where there are gaps in the database.
What do people think? Is this something you'd consider implementing?
David Jorm / Red Hat Security Response Team