>> Hi All
>> First I should introduce myself for those who don't know me, as I have
>> not participated in wildfly dev discussions before. I am a security
>> response engineer working for Red Hat, handling security patches for the
>> commercial JBoss products. Recently some colleagues and I have been
>> working on a tool called 'victims'. The victims tool aims to provide a
>> canonical database of known-vulnerable JAR files, along with tools that
>> allow developers and system administrator to determine whether their
>> projects and systems contain any known-vulnerable JARs. The project's
>> about page contains a more detailed explanation:
>> enforce-victims-rule is a maven plugin that walks the dependency tree at
>> build time, and uses the victims database to check whether a project is
>> including any known-vulnerable JARs as dependencies. The plugin is
>> available on maven central:
>> Please see the README.md and sample app here for configuration details:
>> I think there would be great value in incorporating this plugin into the
>> wildfly POM(s). It can catch security flaws at build time, eliminating
>> the need for much more work to ship patches for flaws later down the
>> line. It is also designed such that it should not trigger any false
>> positives. There will be false negatives where there are gaps in the
>> What do people think? Is this something you'd consider implementing?
> What is the build time performance impact? Is there a network lookup,
> i.e. will it cause a problem on non-network-connected systems (like
> laptops for those of us who travel)?
> - DML
Good questions, my apologies for the delayed response.
Performance impact: I can't give you a good answer yet, we're currently
working on some benchmarking and I will respond to the list once I have
useful figures to share.
Network lookup: By default, the plugin synchronizes a local h2 database
with the canonical database hosted on victi.ms. The sync is
differential. At the moment, the initial sync is > 50MB and could take a
minute or two.
50MB? Holy meatballs... is that a simple text listing of compromised
GAVs? If so, that is truly terrifying.
After the initial sync, subsequent syncs will either
contain no new records or very few new records, and will only take a few
seconds. Synchronization can be disabled so long as a local h2 database
exists. The README.md here:
Explains how to disable sync in an offline environment.