[wildfly-dev] Implementing enforce-victims-rule in wildfly builds
David Jorm
djorm at redhat.com
Mon May 27 01:03:47 EDT 2013
Hi All
First I should introduce myself for those who don't know me, as I have not participated in wildfly dev discussions before. I am a security response engineer working for Red Hat, handling security patches for the commercial JBoss products. Recently some colleagues and I have been working on a tool called 'victims'. The victims tool aims to provide a canonical database of known-vulnerable JAR files, along with tools that allow developers and system administrator to determine whether their projects and systems contain any known-vulnerable JARs. The project's about page contains a more detailed explanation:
http://www.victi.ms/about.html
enforce-victims-rule is a maven plugin that walks the dependency tree at build time, and uses the victims database to check whether a project is including any known-vulnerable JARs as dependencies. The plugin is available on maven central:
http://search.maven.org/#artifactdetails|com.redhat.victims|enforce-victims-rule|1.2|jar
Please see the README.md and sample app here for configuration details:
https://github.com/victims/victims-enforcer
I think there would be great value in incorporating this plugin into the wildfly POM(s). It can catch security flaws at build time, eliminating the need for much more work to ship patches for flaws later down the line. It is also designed such that it should not trigger any false positives. There will be false negatives where there are gaps in the database.
What do people think? Is this something you'd consider implementing?
Thanks
--
David Jorm / Red Hat Security Response Team
More information about the wildfly-dev
mailing list