Re: [wildfly-dev] Implementing enforce-victims-rule in wildfly builds

>> Hi All >> >> First I should introduce myself for those who don't know me, as I have >> not participated in wildfly dev discussions before. I am a security >> response engineer working for Red Hat, handling security patches for the >> commercial JBoss products. Recently some colleagues and I have been >> working on a tool called 'victims'. The victims tool aims to provide a >> canonical database of known-vulnerable JAR files, along with tools that >> allow developers and system administrator to determine whether their >> projects and systems contain any known-vulnerable JARs. The project's >> about page contains a more detailed explanation: >> >> http://www.victi.ms/about.html >> >> enforce-victims-rule is a maven plugin that walks the dependency tree at >> build time, and uses the victims database to check whether a project is >> including any known-vulnerable JARs as dependencies. The plugin is >> available on maven central: >> >> http://search.maven.org/#artifactdetails|com.redhat.victims|enforce-victi... >> >> Please see the README.md and sample app here for configuration details: >> >> https://github.com/victims/victims-enforcer >> >> I think there would be great value in incorporating this plugin into the >> wildfly POM(s). It can catch security flaws at build time, eliminating >> the need for much more work to ship patches for flaws later down the >> line. It is also designed such that it should not trigger any false >> positives. There will be false negatives where there are gaps in the >> database. >> >> What do people think? Is this something you'd consider implementing? > > What is the build time performance impact? Is there a network lookup, > i.e. will it cause a problem on non-network-connected systems (like > laptops for those of us who travel)? > > -- > - DML > Good questions, my apologies for the delayed response. Performance impact: I can't give you a good answer yet, we're currently working on some benchmarking and I will respond to the list once I have useful figures to share. Network lookup: By default, the plugin synchronizes a local h2 database with the canonical database hosted on victi.ms. The sync is differential. At the moment, the initial sync is > 50MB and could take a minute or two.

After the initial sync, subsequent syncs will either contain no new records or very few new records, and will only take a few seconds. Synchronization can be disabled so long as a local h2 database exists. The README.md here: https://github.com/victims/victims-enforcer/tree/master/sample Explains how to disable sync in an offline environment. Thanks David