[jbosstools-issues] [JBoss JIRA] (JBDS-4237) Generate CVE vulnerability report for devstudio

Nick Boldt (JIRA) issues at jboss.org
Tue Jan 10 19:08:00 EST 2017 

    [ https://issues.jboss.org/browse/JBDS-4237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13345793#comment-13345793 ] 

Nick Boldt commented on JBDS-4237:
----------------------------------

Have split the reporting into 6 files (devstudio, central, earlyaccess, and 3x target platforms) and have generated reports & analysis.

Build is set to yellow (UNSTABLE) because there are 2,112 warnings (539 of them HIGH priority). 

Here's the latest report [1].

And here's a trend chart, which can track how we get better/worse at this, on the bottom of the job's main page [2]:

 !Screenshot_2017-01-10_18-58-03.png|thumbnail! 

[1] https://dev-platform-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/All/job/devstudio.cve.report/lastBuild/dependency-check-jenkins-pluginResult/
[2] https://dev-platform-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/All/job/devstudio.cve.report

[~jeffmaury] What would you like to do about these CVE vulnerabilities? Should we pick some of the HIGH priority ones and try to get them fixed in jbosstools or at eclipse / in Orbit?


> Generate CVE vulnerability report for devstudio
> -----------------------------------------------
>
>                 Key: JBDS-4237
>                 URL: https://issues.jboss.org/browse/JBDS-4237
>             Project: Red Hat JBoss Developer Studio (devstudio)
>          Issue Type: Bug
>          Components: build, versionwatch
>    Affects Versions: 10.3.0.AM1
>            Reporter: Nick Boldt
>            Assignee: Nick Boldt
>             Fix For: 10.3.0.AM1
>
>         Attachments: Screenshot_2017-01-10_18-58-03.png
>
>
> 0. download http://dl.bintray.com/jeremy-long/owasp/dependency-check-1.4.4-release.zip
> 1. download latest CI build update site zip, target platform zip, central zip, etc.
> 2. unpack update site zips
> 3. unpack dep-check zip
> 4. generate CVE report for each fetched zip:
> {code}
> ./dependency-check.sh --disableAssembly -s /path/to/update-site/plugins/ --project devstudio_check -o WORKSPACE/path/to/report/folder/
> {code}
> Could also use https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin for better reporting and maybe even enable this on every project job (once moved to CCI Jenkins). 



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jbosstools-issues mailing list