Security vulnerability is s specialized area, and I would avoid
incurring this overhead on every build run by every developer. To
incorporate the victim scanning into upstream project, I would suggest
having a dedicated Jenkins job, or adding this capability into existing
Jenkins job.
I tried it on jberet project by adding the plugin to the top-level pom.
For every sub-module, it tries to get the updates from the central
server, which lasts a couple seconds each time, and this can add up to
significant delay:
[INFO] Retrieving updates from
http://www.victi.ms/service/...
The possible false negatives (as David mentioned in his original email)
can also complicate otherwise successful builds. The following error
message might have been caused by gaps in the database, though it's not
clear which dependency it is complaining about.
[WARNING] Rule 0: com.redhat.victims.VictimsRule failed with message:
Could not determine vulnerabilities for hash:
8edd1a0bf70467791ec883b7452c21333e829ab714c83090f8328d8205f159f2669772dd66db01af60debd40402e994be7b08527e8f90211425567b52e6b9472
Cheng
On 5/27/13 10:16 AM, Vaclav Tunka wrote:
Hi,
I think it is a good idea implementing this upstream in wildfly, as this
tool requires POM modifications. This tool would help us tracking
security vulnerabilities proactively rather than retroactively both in
wildfly and Enterprise Platforms.
Are you OK with that?
Cheers,
Vaclav
On 05/27/2013 07:03 AM, David Jorm wrote:
> Hi All
>
> First I should introduce myself for those who don't know me, as I have not
participated in wildfly dev discussions before. I am a security response engineer working
for Red Hat, handling security patches for the commercial JBoss products. Recently some
colleagues and I have been working on a tool called 'victims'. The victims tool
aims to provide a canonical database of known-vulnerable JAR files, along with tools that
allow developers and system administrator to determine whether their projects and systems
contain any known-vulnerable JARs. The project's about page contains a more detailed
explanation:
>
>
http://www.victi.ms/about.html
>
> enforce-victims-rule is a maven plugin that walks the dependency tree at build time,
and uses the victims database to check whether a project is including any known-vulnerable
JARs as dependencies. The plugin is available on maven central:
>
>
http://search.maven.org/#artifactdetails|com.redhat.victims|enforce-victi...
>
> Please see the README.md and sample app here for configuration details:
>
>
https://github.com/victims/victims-enforcer
>
> I think there would be great value in incorporating this plugin into the wildfly
POM(s). It can catch security flaws at build time, eliminating the need for much more work
to ship patches for flaws later down the line. It is also designed such that it should not
trigger any false positives. There will be false negatives where there are gaps in the
database.
>
> What do people think? Is this something you'd consider implementing?
>
> Thanks
>