[wildfly-dev] Implementing enforce-victims-rule in wildfly builds

Jason Greene jgreene at redhat.com
Mon May 27 18:34:43 EDT 2013


Right, I agree this is the right place to use it.

On May 27, 2013, at 9:16 AM, Vaclav Tunka <vtunka at redhat.com> wrote:

> Hi,
> 
> I think it is a good idea implementing this upstream in wildfly, as this 
> tool requires POM modifications. This tool would help us tracking 
> security vulnerabilities proactively rather than retroactively both in 
> wildfly and Enterprise Platforms.
> 
> Are you OK with that?
> 
> Cheers,
> Vaclav
> 
> On 05/27/2013 07:03 AM, David Jorm wrote:
>> Hi All
>> 
>> First I should introduce myself for those who don't know me, as I have not participated in wildfly dev discussions before. I am a security response engineer working for Red Hat, handling security patches for the commercial JBoss products. Recently some colleagues and I have been working on a tool called 'victims'. The victims tool aims to provide a canonical database of known-vulnerable JAR files, along with tools that allow developers and system administrator to determine whether their projects and systems contain any known-vulnerable JARs. The project's about page contains a more detailed explanation:
>> 
>> http://www.victi.ms/about.html
>> 
>> enforce-victims-rule is a maven plugin that walks the dependency tree at build time, and uses the victims database to check whether a project is including any known-vulnerable JARs as dependencies. The plugin is available on maven central:
>> 
>> http://search.maven.org/#artifactdetails|com.redhat.victims|enforce-victims-rule|1.2|jar
>> 
>> Please see the README.md and sample app here for configuration details:
>> 
>> https://github.com/victims/victims-enforcer
>> 
>> I think there would be great value in incorporating this plugin into the wildfly POM(s). It can catch security flaws at build time, eliminating the need for much more work to ship patches for flaws later down the line. It is also designed such that it should not trigger any false positives. There will be false negatives where there are gaps in the database.
>> 
>> What do people think? Is this something you'd consider implementing?
>> 
>> Thanks
> 
> -- 
> Vaclav Tunka
> Enterprise Application Platforms
> JBoss by Red Hat
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev



More information about the wildfly-dev mailing list