> Hi All
> First I should introduce myself for those who don't know me, as I have
> not participated in wildfly dev discussions before. I am a security
> response engineer working for Red Hat, handling security patches for the
> commercial JBoss products. Recently some colleagues and I have been
> working on a tool called 'victims'. The victims tool aims to provide a
> canonical database of known-vulnerable JAR files, along with tools that
> allow developers and system administrator to determine whether their
> projects and systems contain any known-vulnerable JARs. The project's
> about page contains a more detailed explanation:
> enforce-victims-rule is a maven plugin that walks the dependency tree at
> build time, and uses the victims database to check whether a project is
> including any known-vulnerable JARs as dependencies. The plugin is
> available on maven central:
> Please see the README.md and sample app here for configuration details:
> I think there would be great value in incorporating this plugin into the
> wildfly POM(s). It can catch security flaws at build time, eliminating
> the need for much more work to ship patches for flaws later down the
> line. It is also designed such that it should not trigger any false
> positives. There will be false negatives where there are gaps in the
> What do people think? Is this something you'd consider implementing?
What is the build time performance impact? Is there a network lookup,
i.e. will it cause a problem on non-network-connected systems (like
laptops for those of us who travel)?
Good questions, my apologies for the delayed response.
I can't give you a good answer yet, we're currently working on some benchmarking
and I will respond to the list once I have useful figures to share.
By default, the plugin synchronizes a local h2 database with the canonical database hosted
on victi.ms. The sync is differential. At the moment, the initial sync is > 50MB and
could take a minute or two. After the initial sync, subsequent syncs will either contain
no new records or very few new records, and will only take a few seconds. Synchronization
can be disabled so long as a local h2 database exists. The README.md here:
Explains how to disable sync in an offline environment.