[wildfly-dev] Implementing enforce-victims-rule in wildfly builds
David M. Lloyd
david.lloyd at redhat.com
Tue May 28 17:19:34 EDT 2013
On Mon, 27 May 2013, David Jorm wrote:
> Hi All
>
> First I should introduce myself for those who don't know me, as I have
> not participated in wildfly dev discussions before. I am a security
> response engineer working for Red Hat, handling security patches for the
> commercial JBoss products. Recently some colleagues and I have been
> working on a tool called 'victims'. The victims tool aims to provide a
> canonical database of known-vulnerable JAR files, along with tools that
> allow developers and system administrator to determine whether their
> projects and systems contain any known-vulnerable JARs. The project's
> about page contains a more detailed explanation:
>
> http://www.victi.ms/about.html
>
> enforce-victims-rule is a maven plugin that walks the dependency tree at
> build time, and uses the victims database to check whether a project is
> including any known-vulnerable JARs as dependencies. The plugin is
> available on maven central:
>
> http://search.maven.org/#artifactdetails|com.redhat.victims|enforce-victims-rule|1.2|jar
>
> Please see the README.md and sample app here for configuration details:
>
> https://github.com/victims/victims-enforcer
>
> I think there would be great value in incorporating this plugin into the
> wildfly POM(s). It can catch security flaws at build time, eliminating
> the need for much more work to ship patches for flaws later down the
> line. It is also designed such that it should not trigger any false
> positives. There will be false negatives where there are gaps in the
> database.
>
> What do people think? Is this something you'd consider implementing?
What is the build time performance impact? Is there a network lookup,
i.e. will it cause a problem on non-network-connected systems (like
laptops for those of us who travel)?
--
- DML
More information about the wildfly-dev
mailing list