[wildfly-dev] Implementing enforce-victims-rule in wildfly builds

Cheng Fang cfang at redhat.com
Tue May 28 22:56:46 EDT 2013 

Security vulnerability is s specialized area, and I would avoid 
incurring this overhead on every build run by every developer.  To 
incorporate the victim scanning into upstream project, I would suggest 
having a dedicated Jenkins job, or adding this capability into existing 
Jenkins job.

I tried it on jberet project by adding the plugin to the top-level pom.  
For every sub-module, it tries to get the updates from the central 
server, which lasts a couple seconds each time, and this can add up to 
significant delay:

[INFO] Retrieving updates from http://www.victi.ms/service/...

The possible false negatives (as David mentioned in his original email) 
can also complicate otherwise successful builds.  The following error 
message might have been caused by gaps in the database, though it's not 
clear which dependency it is complaining about.

[WARNING] Rule 0: com.redhat.victims.VictimsRule failed with message:
Could not determine vulnerabilities for hash: 
8edd1a0bf70467791ec883b7452c21333e829ab714c83090f8328d8205f159f2669772dd66db01af60debd40402e994be7b08527e8f90211425567b52e6b9472

Cheng

On 5/27/13 10:16 AM, Vaclav Tunka wrote:
> Hi,
>
> I think it is a good idea implementing this upstream in wildfly, as this
> tool requires POM modifications. This tool would help us tracking
> security vulnerabilities proactively rather than retroactively both in
> wildfly and Enterprise Platforms.
>
> Are you OK with that?
>
> Cheers,
> Vaclav
>
> On 05/27/2013 07:03 AM, David Jorm wrote:
>> Hi All
>>
>> First I should introduce myself for those who don't know me, as I have not participated in wildfly dev discussions before. I am a security response engineer working for Red Hat, handling security patches for the commercial JBoss products. Recently some colleagues and I have been working on a tool called 'victims'. The victims tool aims to provide a canonical database of known-vulnerable JAR files, along with tools that allow developers and system administrator to determine whether their projects and systems contain any known-vulnerable JARs. The project's about page contains a more detailed explanation:
>>
>> http://www.victi.ms/about.html
>>
>> enforce-victims-rule is a maven plugin that walks the dependency tree at build time, and uses the victims database to check whether a project is including any known-vulnerable JARs as dependencies. The plugin is available on maven central:
>>
>> http://search.maven.org/#artifactdetails|com.redhat.victims|enforce-victims-rule|1.2|jar
>>
>> Please see the README.md and sample app here for configuration details:
>>
>> https://github.com/victims/victims-enforcer
>>
>> I think there would be great value in incorporating this plugin into the wildfly POM(s). It can catch security flaws at build time, eliminating the need for much more work to ship patches for flaws later down the line. It is also designed such that it should not trigger any false positives. There will be false negatives where there are gaps in the database.
>>
>> What do people think? Is this something you'd consider implementing?
>>
>> Thanks
>>

More information about the wildfly-dev mailing list